Home > Security and Tech > Security Setup - Day One
Security Setup - Day One
Immediately upon installing AspDotNetStorefront, there are certain security actions to be taken:
1) Read the Security Best Practices and follow the guidelines carefully.
2) You will be obliged to create a new user account using a real email address, and give the new user Super Admin privileges. Log out and make sure you can log in using the new account.
2) The default admin account (admin@AspDotNetStorefront.com) will be deleted automatically. Make a corporate decision about the people in the company who really need to have administrative access to the store. Never, ever use a 'group' policy (where several staff members share the same login credentials). Explain to each administrative account-holder the importance of being security-conscious - for example, they should never walk away from their computer and leave it active and logged on.
3) Use CAPTCHA images on your admin site. These can be enabled in Settings on your site and can help prevent scripted attacks against your website.
4) Set up Password Management (and the ability of customers and administrators to login and logout). Explain password controls to your administrative account-holders and make sure that they understand the importance of their position.
PCI requirements ask you to protect your administrators and shoppers by monitoring their activity and logging them out if they appear to have walked away from their desk.
5) Setup your encryption information. AspDotNetStorefront combines a number of elements in order to derive a key for encryption that varies every single time it is used. (See also, "Setting and Changing your Encrypt Key" You will need to pay attention to the following settings:
Number of encryption iterations. Enter a number from 1 to 4.
1 is less secure, but faster.
4 is more secure, but slower.
6) Review your credit card storing policies. It is very rare to have to store CC information, and it is strongly discouraged.