2) You will be obliged to create a new user account using a real email address, and give the new user Super Admin privileges. Log out and make sure you can log in using the new account.
2) The default admin account (admin@AspDotNetStorefront.com) will be deleted automatically. Make a corporate decision about the people in the company who really need to have administrative access to the store. Never, ever use a 'group' policy (where several staff members share the same login credentials). Explain to each administrative account-holder the importance of being security-conscious - for example, they should never walk away from their computer and leave it active and logged on.
3) Use CAPTCHA images on your admin site. These can be enabled in Settings on your site and can help prevent scripted attacks against your website.
4) Set up Password Management (and the ability of customers and administrators to login and logout). Explain password controls to your administrative account-holders and make sure that they understand the importance of their position.
The number of days between password resets for admins users. Cannot exceed 90 days, and default is 30 days
Sets the amount of time in minutes that an account will be locked out after the MaxBadLogins threshold has been exceeded. You can set this to zero to disable bad login lockout altogether. Default is 30 mins.
The number of failed logins before the customer account is locked out. Beware setting this too low.
If TRUE, shoppers are forcibly logged off upon order creation. Default is FALSE.
Used when creating new passwords via the Forgot your Password feature on the sign-in page.
Prevents admin users from re-using any of the specified number of previously used passwords, the PA-DSS requirement is 4 so we urge you not to set it any lower.
A Regular Expression that is used to validate passwords. Test your expression thoroughly before changing this.
If TRUE, turing number security fields are added to the login pages, to prevent automated attacks. Turing fields are also ONLY used on the live server, not the development or staging servers, so make sure your LiveServer setting is also set to yourdomain.com.
A Regular Expression that is used to validate passwords. This enforces stronger passwords than PasswordValidator does. Test your expression thoroughly before changing this.
PCI requirements ask you to protect your administrators and shoppers by monitoring their activity and logging them out if they appear to have walked away from their desk.
Admin session data timeout value. Default is 15 minutes
Customer session data timeout value. Default is 15 minutes
When customers' sessions end due to idleness, they will be sent to this page on your site. A blank value means the site's home page.
If true, customers will get a warning before their sessions time out due to inactivity.
5) Setup your encryption information. AspDotNetStorefront combines a number of elements in order to derive a key for encryption that varies every single time it is used. (See also, "Setting and Changing your Encrypt Key") You will need to pay attention to the following settings:
The encryption provider used to encrypt the web.config file. Allowed values are DataProtectionConfigurationProvider and RsaProtectedConfigurationProvider. The former is recommended in most instances.
This is the salt field to use for encrypting the credit card field in the Address table. Allowable values are AddressID or CustomerID.
The salt field to use for encrypting the credit card field in the Orders table. Allowable values are OrderNumber, OrderGUID, CustomerID, CustomerGUID or Email.
Number of encryption iterations. Enter a number from 1 to 4.
1 is less secure, but faster.
4 is more secure, but slower.
Type of encryption hash algorithm used. Must be either MD5 or SHA1 (SHA1 is recommended).
Encryption key size. Must be 128, 192, or 256. Lower values are faster, and less secure. Higher values are slower but more secure.
6) Review your credit card storing policies. It is very rare to have to store CC information, and it is strongly discouraged.