Questions[web-applications](server)

Question says it all. We are designing a system where security is very important. One of the ideas someone had was to force users to change passwords every 3 months. My take on this is that while its more secure because the password changes often it also forces our users to remember ever changing passwords and makes it more possible that they will just write it down somewhere to help remember.

In the same idea is it really good to force users to use a super hard to guess password. Force them to use ?%&% and uppercase lowercase letters. I know its quite the hassle to invent such a password and then remembering it.

Then again we do not want anyone using 12345.

So. Is there any whitepapers about this subject? Good practice?

I am talking about a website created with PHP. MySQL in a lamp environment if that changes anything.

There is something I don't get, one of my web apps has a small form that allows you to enter you name and email address to "subscribe" to a user list for a site I maintain. The site is very low traffic, and only useful to a very small number of people that live in a very small town..it would be of no interest to anyone else.

Yet, every day, sometimes many times per day, someone (or a bot) is entering fictitious names and probably bogus email addresses into the form.

This form is not even active on my site anymore, it just happens to still exist as an orphaned page on my IIS directory (which tells me that someone is searching for these types of forms via Google, because there is no path to this form if you come in thru the default page.

This is not a big hassle for me, I can solve the problem with captcha, but what I don't understand is for what purpose would someone setup a bot to repeatedly fill in forms? I figure there must be a reason, but for the life of me don't know why?

What am I missing?

I'm looking for a trouble ticket system so that I can track issues for various customers. I used one before at my previous employer but it wasn't anything too great. I'm wondering which ones you would recommend and what other features that I might want to look at to make my job easier. It must posses the following.

1. Web based
2. Handle multiple clients (probably all support this)
3. Asset management

IIS/Web Applications has been a tricky issue in the shops I've worked in over time.

On one hand, IIS is a service built into the server (by in large) and is typically the responsibility of the server administrators to maintain and configure. When an issue comes up, they know what needs to happen, or can at least diagnose to the point where they say, "Something is wrong with the web app" and have the developer debug their code.

However, each web application on the server is unique and has a lot of nuances that gets can be complex based on the issues at hand.

On the other hand, each web application is unique in many ways and had specific issues that need to be dealt with and the developer is the person that knows the most about the application. If the web.config file needs to be modified for debugging, or an IIS starts giving grief to the web application, the developer should know where the issue lies and fix it accordingly, either due to IIS or the application itself.

However, allowing a developer to go in and tweak with IIS on their own becomes a serious issue because some settings/optimizations can seriously muck up with the server performance and stability.

So where does the balance lie? Should the server admins be IIS gurus and handle all of those issues and I simply send the site files over deployment, or should the developer assume responsibility for the server and IIS issues and deal with them accordingly?

Right now we only have one back-end server per site/web service. I'd be interested to hear people's experiences with various load balancer apps (something that runs on Linux).

What would you recommend?