Security Best Practices


Administrators - Protect Your Company

New Salesforce Login Pages Starting June 15th

Starting June 15th, Salesforce login pages will have a new look. The redesign will improve the experience on Touch devices and introduce new login capabilities for Salesforce Communities. These changes do not apply to pages with custom branding developed using Trialforce.
The old login page may appear for some users while we roll out the change across all instances. All customers will see the new login page no later than June 16th.
Please ensure your support teams are aware of this change to address any security concerns from users.

For more information

[back to top]

SMS Identity Confirmation

Salesforce.com is dedicated to ensuring our service is as secure as possible and helping our customers strengthen security in their own environments. Starting March 6, 2013, we will begin a phased rollout that changes our Identity Confirmation default option. Salesforce.com will replace email Identity Confirmation with SMS Identity Confirmation for all verified mobile users. This further safeguards our customers by adding an extra layer of protection when verifying login from an unknown source. Once the change is activated, verified mobile users will only receive SMS identity confirmation. Users without mobile phones will still have the option to use email identity confirmation.

For more information, we have provided the following:

[back to top]

Implement IP Restrictions in Salesforce.com

A great tool for protecting your applications is restricting login to those IP addresses that you specifically approve.

To restrict IP addresses, click:

Setup>Manage Users>Profiles

 If you are using Personal Edition or Group Edition, click:

Setup>Security Controls>Session Settings 

[back to top]

Consider Two-Factor Authentication

User names and passwords are the most commonly used forms of authentication. Several technologies are available for second-level authorization, including requiring secure IT tokens. Note that this technology does not protect against "man-in-the-middle" attacks, where messages are intercepted. Also, applications that may be integrated with salesforce.com are not protected by two-factor authentication.

Please contact your account team for more information.

[back to top]

Secure Employee Systems

One of your goals is to keep email fraud from reaching your users in the first place. To help do that, secure all computers used by your employees.

[back to top]

Strengthen Password Policies

You can make passwords more secure and harder to break by requiring users to define complex passwords, setting up password expirations, and implementing lockouts.

To set password policies, click:

Setup>Security Controls>Password Policies

To force users to reset their passwords, click:

Setup>Security Controls>Expire All Passwords

[back to top]

Require Secure Sessions

By mandating that all sessions are encrypted and secure, you protect messages in transit.

Your administrator should verify these settings:

Setup>Manage Users>Profiles

[back to top]

Decrease Session Timeout Thresholds

Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. The default timeout is 2 hours; you can set this value from between 30 minutes and 8 hours.

To change the session timeout, click:
Setup>Security Controls>Session Settings  
[back to top]

Identify a Primary Security Contact

Please identify a person in your company who is responsible for application security. He or she should have a thorough understanding of your security policies. Make this person your single point of contact for salesforce.com.

To notify salesforce.com about your security contact, please contact your account team.

[back to top]