VitePress

Appearance

Exercise 2: Update Session Security

In this exercise, you'll take action on critical security vulnerabilities to increase your org's security posture and Health Check security score.

The Many Factors of Security

The most basic concept of accessing a platform or application is provisioned through three fundamental security factors.

1. Something You Know (Knowledge Factor)

This is the most common and traditional form of security. It relies on information that exists only in your mind.

  • Examples: Passwords, PINs, or the answer to a secret question
  • The Weakness: This is the easiest factor to steal. Through phishing, social engineering, or data breaches, a bad actor can gain what you know without ever coming near you.

2. Something You Have (Possession Factor)

This requires you to physically own or have access to a specific object.

  • Examples: Your smartphone (for receiving a push notification or SMS), a physical security key (like a YubiKey), or a smart card
  • The Strength: Even if a hacker steals your password, they can't log in unless they also physically have your phone or key.

3. Something You Are (Inherence Factor)

This is based on your unique physical characteristics, often referred to as Biometrics.

  • Examples: Fingerprint scans, Face ID, or retina scans
  • The Strength: This is extremely difficult to replicate or steal. It ensures the person logging in is physically the same human being who owns the account.

Scenario

You are the new Salesforce Admin at an organization and while doing your first review of your new org's Health Check, you notice the poor security score and several non-compliant settings. You decide to focus on the Critical Status items to better secure your org.

By the end of this exercise, you will have implemented two critical security protections:

  • Enable MFA — instead of just using a password to log in, users will also confirm their identity through a second step, like a notification on their phone or a code, to prove it's really them and keep hackers out.
  • Enforce login IP ranges on every request — Salesforce will verify that your users are on a trusted network not just at login, but every time they make a request, immediately cutting off access if they switch to an unapproved connection.

Step 1: Enable MFA

Work with your IT and Security Teams to identify the best MFA solution for your organization. There are many to choose from!

  1. Head to your Health Check High-Risk Security Settings and click Edit next to the MFA Enabled setting.

  2. In Identity Verification, check the box to Require multi-factor authentication (MFA) for all direct UI logins to your Salesforce org.

  3. Scroll down and click Save to save your Identity Verification settings.

  4. Return to Health Check and refresh the page — your Security Score will increase.

Step 2: Set Login IP Ranges

Trusted IP Ranges allow you to specify known ranges of login locations you would expect your users to come from. Without trusted IP ranges, your org is unable to determine if a user is attempting to log in from an unusual IP address.

Normally you would reach out to your IT department to determine what ranges are secure for users. For this workshop, we'll find your IP on the web.

  1. Find your IP address to determine what ranges make sense for your users.

  2. Go to What Is My IP?

  3. Copy your IP address results.

  4. Go back to Salesforce and open Setup.

  5. Type Network Access into the Quick Find.

  6. Click New.

  7. Paste the IP range from your results and create a range for: X.X.0.0 to X.X.255.255

    X.X is the first two numbers from your IP result. This is a broad geographic range for workshop purposes only — consult your IT department for a reasonable range in production.

  8. Click Save.

Step 3: Enforce Login IP Ranges on Every Request

  1. Head back to Health Check and scroll down to Medium-Risk Security Settings. Click Edit next to the Enforce login IP ranges on every request setting.

  2. Scroll up to Session Settings.

  3. Check the box to Enforce login IP ranges on every request.

  4. Scroll down and click Save to save your Session Settings.

  5. Return to Health Check and refresh the page — your Security Score will increase.

Summary

You have taken action on Critical Session Settings identified in your Health Check. By enabling MFA, creating trusted IP login ranges, and enforcing login IP ranges on every request, you have taken the first steps to better protect your org from critical security threats.