• 10.0.0 - 10.0.26
    541 201 9965 Email Website
  • Contents

    Home > Security and Tech > Security Setup - Day One

    Security Setup - Day One

    Immediately upon installing AspDotNetStorefront, there are certain security actions to be taken:


    1) Read the Security Best Practices and follow the guidelines carefully. 

    2) You will be obliged to create a new user account using a real email address, and give the new user Super Admin privileges. Log out and make sure you can log in using the new account.


    2) The default admin account (admin@AspDotNetStorefront.com) will be deleted automatically. Make a corporate decision about the people in the company who really need to have administrative access to the store. Never, ever use a 'group' policy (where several staff members share the same login credentials). Explain to each administrative account-holder the importance of being security-conscious - for example, they should never walk away from their computer and leave it active and logged on.


    3) Use CAPTCHA images on your admin site. These can be enabled in Settings on your site and can help prevent scripted attacks against your website.


    4) Set up Password Management (and the ability of customers and administrators to login and logout). Explain password controls to your administrative account-holders and make sure that they understand the importance of their position.


     Setting   Description
     AdminPwdChangeDays The number of days between password resets for admins users. Cannot exceed 90 days, and default is 30 days
     BadLoginLockTimeOut Sets the amount of time in minutes that an account will be locked out after the MaxBadLogins threshold has been exceeded. You can set this to zero to disable bad login lockout altogether. Default is 30 mins.
     MaxBadLogins  The number of failed logins before the customer account is locked out. Beware setting this too low.
     ForceSignoutOnOrderCompletion  If TRUE, shoppers are forcibly logged off upon order creation. Default is FALSE.
     NewPwdAllowedChars  Used when creating new passwords via the Forgot your Password feature on the sign-in page.
     NumPreviouslyUsedPwds Prevents admin users from re-using any of the specified number of previously used passwords, the PA-DSS requirement is 4 so we urge you not to set it any lower.
     PasswordValidator  A Regular Expression that is used to validate passwords. Test your expression thoroughly before changing this.
     SecurityCodeRequiredOnStoreLogin If TRUE, turing number security fields are added to the login pages, to prevent automated attacks. Turing fields are also ONLY used on the live server, not the development or staging servers, so make sure your LiveServer setting is also set to yourdomain.com.
     StrongPasswordValidator A Regular Expression that is used to validate passwords. This enforces stronger passwords than PasswordValidator does. Test your expression thoroughly before changing this.



    PCI requirements ask you to protect your administrators and shoppers by monitoring their activity and logging them out if they appear to have walked away from their desk.


     AdminSessionTimeoutInMinutes   Admin session data timeout value. Default is 15 minutes
     SessionTimeoutInMinutes  Customer session data timeout value. Default is 15 minutes
     SessionTimeoutLandingPage  When customers' sessions end due to idleness, they will be sent to this page on your site. A blank value means the site's home page.
     SessionTimeoutWarning.Enabled  If true, customers will get a warning before their sessions time out due to inactivity.



    5) Setup your encryption information. AspDotNetStorefront combines a number of elements in order to derive a key for encryption that varies every single time it is used. (See also, "Setting and Changing your Encrypt Key") You will need to pay attention to the following settings:


     Setting  Description
     Web.Config.EncryptionProvider  The encryption provider used to encrypt the web.config file. Allowed values are DataProtectionConfigurationProvider and RsaProtectedConfigurationProvider. The former is recommended in most instances.
     AddressCCSaltField  This is the salt field to use for encrypting the credit card field in the Address table. Allowable values are AddressID or CustomerID.
     OrdersCCSaltField   The salt field to use for encrypting the credit card field in the Orders table. Allowable values are OrderNumber, OrderGUID, CustomerID, CustomerGUID or Email.

    Number of encryption iterations. Enter a number from 1 to 4.

    1 is less secure, but faster.

    4 is more secure, but slower. 

     HashAlgorithm  Type of encryption hash algorithm used. Must be either MD5 or SHA1 (SHA1 is recommended).
     KeySize  Encryption key size. Must be 128, 192, or 256. Lower values are faster, and less secure. Higher values are slower but more secure.

    6)  Review your credit card storing policies. It is very rare to have to store CC information, and it is strongly discouraged.


    Print This Article
    Email This Article
    Previous Article
    Next Article