Security Best Practices


Administrators - Protect Your Company

Salesforce.com is dedicated to helping our customers be more secure when accessing Salesforce. With the evolving threat landscape, we strongly encourage customers take action to help prevent unauthorized access to their Salesforce orgs.

As a Salesforce admin, there are steps that you can take to make the experience as secure as possible for your Salesforce users. The following security features available in Salesforce provide additional layers of end-user validation or authentication:

Implement IP Restrictions in Salesforce.com

Login IP Ranges limit unauthorized access by requiring users to login to Salesforce from designated IP addresses — typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to Salesforce. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access. If you are using Professional, Group, or Personal editions, you can configure Login IP Ranges under Security Controls > Session Settings. If you are using Enterprise, Unlimited, Performance, or Developer editions, you can configure Login IP Ranges under Manage Users > Profiles. Learn how to implement this feature here.

[back to top]

Consider Two-Factor Authentication

Two-Factor Authentication requires that all login attempts have both login credentials and a second authentication factor. This can be achieved by using the Salesforce# App or similar solutions from security vendors. Login attempts that do not have valid credentials from both sources will not be granted access to Salesforce. Learn how to implement this feature here.

[back to top]

SMS Identity Confirmation

SMS Identity Confirmation is designed to help prevent unauthorized access to your Salesforce org, by challenging users to confirm their identity when logging in from an unknown source (new device or IP address). Users must confirm their identity by entering a code that is sent via SMS to their designated phone number. The feature is enabled by default for all Salesforce users, and settings can be adjusted if a user does not have a mobile phone. You can learn more about Salesforce Identity Confirmation here.

[back to top]

Secure Employee Systems

One of your goals is to keep email fraud from reaching your users in the first place. To help do that, secure all computers used by your employees.

[back to top]

Strengthen Password Policies

You can make passwords more secure and harder to break by requiring users to define complex passwords, setting up password expirations, and implementing lockouts.

To set password policies, click:

Setup>Security Controls>Password Policies

To force users to reset their passwords, click:

Setup>Security Controls>Expire All Passwords

[back to top]

Identify a Primary Security Contact

Please identify a person in your company who is responsible for application security. He or she should have a thorough understanding of your security policies. Make this person your single point of contact for salesforce.com.

To notify salesforce.com about your security contact, please contact your account team.

[back to top]

Require Secure Sessions

By mandating that all sessions are encrypted and secure, you protect messages in transit.

Your administrator should verify these settings:

Setup>Manage Users>Profiles

[back to top]

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours.

To change the session timeout, click:
Setup>Security Controls>Session Settings  
[back to top]

Information on all of these features and more can be found in our Security Implementation Guide here.