Security for Admins
Cheatsheet
Overview
Force.com provides built-in security features and protections, which can be utilized by administrators to control login and authentication, establish
password policies and manage session settings. Also see the Security Cheat Sheet for Developers.
Login and Authentication Settings
Login and Authentication features and restrictions. These settings
should be enabled as appropriate for your company.
Setting Name Description
Set an allowed Login
IP Range on a specific
Prevent Access
profile. Access is
by IP Address
completely denied from
outside the range.
Set a Trusted IP Range.
Access from outside the
Require
range prompts the user
Identity
for identity confirmation
Verification
(via text message,
email, etc.).
User logins can be
Time of Day
restricted to specified
Restrictions
times of the day.
Single Sign-On Instead of requiring a
using Security password, salesforce.
Assertion com verifies an HTTP
Markup request from an identity
Language provider to authenticate
(SAML) a user.
Instead of requiring a
password, salesforce.
Delegated com makes a Web
Authentication services call to your
organization to
authenticate a user.
Two-Factor Requires users to
Authentication authenticate using two
for User different methods, such
Interface as a password and a
Logins device- generated code.
Requires users to
authenticate for API
Two-Factor
access using two different
Authentication
methods. Enable Two-
for API Logins
Factor Authentication for
User Inteface Logins, first.
Enable users to log
into your Salesforce
organization using their
login credentials from an
Authentication external service provider
Providers such as Facebook© and
Janrain©, or OpenID
Connect providers
(Google, Amazon,
and Paypal).
Password Policies
Controls available for enabling password restrictions and account
lockout settings. From Setup, enter Password in the Quick Find box,
Location then select Password Policies.
You can also apply these to individual profiles.
From Setup, enter
Setting Name Description Recommended
Profiles in the
Quick Find box, then
User Frequency to
select Profiles.
passwords automatically expire 90 days or less
expire in passwords.
From Setup, enter
Enforce Number of previous
Network Access in 3 or more passwords
password passwords to save to
in the Quick Find box, remembered
history prevent password re-use.
then select Network
Access.
Minimum
Minimum length of
password 8 characters
From Setup, enter a password.
length
Profiles
in the Quick Find box, Must mix alpha,
Password Controls whether the
then select Profiles. numeric, and special
complexity password contains a mix
characters, or more
From Setup, enter requirement of letters and numbers.
complex
Single in the Quick
Find box, then select Password Require the user’s
Cannot contain
Single Sign-0n question password hint to not
password
Settings. requirement contain the password.
Maximum Number of invalid logins
invalid login allowed before locking out 3
Contact Support to attempts the account.
enable this feature.
Lockout Length of time an
effective account remains 15 minutes
period locked out.
Two-factor
Authentication for Obscure
User Interface Logins secret answer Hides answers to security
Yes
permissions setting for password questions as you type.
on the profile resets
(cloned profiles only)
or permission set. Prevents more than one
password change in a
Two-factor Require a 24 hour period.
Authentication for API minimum 1 Yes
Increases security,
Logins permissions day password
but might require an
setting on the profile lifetime
administrator to reset a
(cloned profiles only)
or permission set. user’s password.
Only as necessary.
You can expire
passwords for all users
From Setup, enter From Setup, enter
(except those with
Auth in the Quick Expire All Expire in the Quick
the “Password Never
Find box, then select Passwords Find box, then select
Expires” permission)
Auth. Providers Expire All Passwords
any time you want to
enforce extra security
for your organization.
Security for Admins Cheatsheet

Session Settings Auditing and Logging

Controls available for general session handling settings, including Salesforce provides several types of audit logs for monitoring logins
session timeout. From Setup, enter Session in the Quick Find box, and changes to your organization.
then select Session Settings.
Setting Name Description Location
You can apply some of these to individual profiles or permission sets.
Setting Name Description Recommended All successful and failed
User Login login attempts are Setup | Manage Users
Allowed idle session time
History recorded and saved for | Login History
Timeout value before automatically logging 2 hours or less
180 days.
user out of Salesforce.

Disable the warning browser

Disable session Every configuration From Setup, enter
pop-up when a user is
timeout warning Yes Setup Audit (Setup) change is Audit in the Quick
about to be logged out from
popup Trail logged and archived Find box, then select
the idle session timeout.
for 180 days. View Setup Audit Trail
Force the user session to
Lock sessions to
remain locked to the IP
the IP address Yes
address from which the user Selected standard and
from which they (if possible) Set History Tracking
authenticated. May impact Object History custom fields can be
originated field in the object
AppExchange installations. Tracking enabled to track the
settings.
change history.
Require secure
Require HTTPS on all page
connections Yes
requests.
(https) From Setup, enter
Report
Allow the user’s browser to A new custom report in the Quick Find box,
Enable
store and auto- complete includes usage then select Report
caching and Identity Usage
usernames No information for both Types. Click New
autocomplete on Report
or passwords after SAML and OAuth Custom Report Type,
login page
first login. connected apps. Set the Primary Object
to Identity
Restricts session ID cookie Event Logs
Require HttpOnly access. A cookie with the
Yes
attribute HttpOnly attribute is not
accessible via JavaScript.

Allow users to log in Access Control

Allow Lightning password-free with their
Yes
Login username and Salesforce Salesforce provides three ways to assign access permissions to users.
Authenticator.
Setting Name Description Location
Allow location-
Allow users to automate
based automated From Setup, enter
verifications from anywhere, Use delegated
verifications Yes Delegated in the
from trusted IP addresses administration to assign
with Salesforce Quick Find box, then
only, or not at all. Delegated limited administrative
Authenticator select Delegated
Administration privileges to selected
Administration
non-administrator users
Let users Allow a registered U2F (contact Salesforce to
in your organization.
authenticate with a security key device as a Yes enable this feature)
security key (U2F) second factor.

Protects against clickjack Create permission sets

Clickjack
attacks on Visualforce and Yes with specific access
protection From Setup, enter
non-setup Salesforce pages policies, and then
Permission Permission in the
assign the permission
Require two-factor Sets Quick Find box, then
set to individual Users
authentication for logins. select Permission Sets
in your salesforce.com
In the user profile, set organization.
the Session security level
Set High
required at login to High
Assurance
Assurance. Then set session Yes
Session Security Create (or edit existing)
security levels to apply the From Setup, enter
Levels profiles with specific
policy for login methods Profiles in the
Profiles access policies, and
such as username and Quick Find box,
then assign a user to
password, SAML single then select Profiles.
that profile.
sign-on, or social sign-on.
 OAuth Settings Sensitive Permissions
Salesforce supports a variety of authentication flows using the When using profiles, we recommend reviewing profiles for these
OAuth 1.0 and 2.0 protocols to grant external apps (connected sensitive permissions. From Setup, enter Profiles in the Quick Find
apps) access without exposing individual user credentials. You can box, then select Profiles.
manage the OAuth settings for individual connected apps.
Permission Description
Setting Name Description Location
From Setup, enter Can modify and deploy Apex. By default, Apex
Author Apex
Apps in the Quick code runs with full administrative privileges.
Determines who can
Find box, then
Permitted run the connected app;
click "Edit" next to Customize Make configuration changes to the organizational
Users all users or only admin
the name of the Application settings.
approved users.
connected
app to modify
Download
Install or uninstall packages from the
Use the IP restrictions AppExchange
AppExchange.
set in the org or From Setup, enter packages
profile, or relax the Apps in the Quick
IP restrictions for Find box, then The ability to create or modify user accounts,
IP Restrictions the connected app. click "Edit" next to Manage Users including logins, sharing rules, and login
Optionally, require the name of the restrictions.
a second factor connected app
authentication to relax to modify
the IP restrictions. Modify All This permission gives the user the ability to create,
Data edit, or delete all data in Salesforce.
From Setup, enter
Set the required user
Apps in the Quick
Control login intervals to once, Password
Find box, then Prevent the password from expiring.
refresh of every time a user tries Never Expires
click "Edit" next to
access tokens to use the connected
the name of the
(via login) app, or after a specified View All Data View all data owned by other users.
connected app to
period of time.
modify
Only users meeting From Setup, enter
the High Assurance Apps in the Quick
High
requirements, Find box, then
Assurance
such as two-factor click "Edit" next to
session
authentication, the name of the
required
for their org can use the connected app to
connected app. modify
If the connected app
From Setup, enter
uses the Salesforce
Apps in the Quick
Mobile Mobile SDK, the
Find box, then click
session developer can enable
"Edit"next to the name
timeout an option to provide
of the app to modify.
a configurable session
Select PIN Protect
timeout for mobile apps.
If the connected app
From Setup, enter
uses the Salesforce
Apps in the Quick
Mobile SDK, the
Find box, then click
developer can enable
Mobile PIN "Manage" next to
an option to control
length the name of the app
the use and length of
to modify. Set your
user PINs (Personal
preferences in Moblie
Identification Numbers)
Integration
for authentication.
Block/ Monitor the usage of From Setup, enter
Unblock connected apps and Connected in the
OAuth block/unblock individual Quick Find box, then
connected connected apps, select Connected
apps manually. Apps OAuth Usage

For other cheatsheets:

http://developer.salesforce.com/cheatsheets 10042016
 developer.salesforce.com

For other cheatsheets:

http://developer.salesforce.com/cheatsheets 10042016