Exercise 4: Configure Health Check
Scenario
We have manually resolved a few identity, session, and user based security settings, but there is still a lot we can do to increase our security posture. Let’s go back to Health Check and fix additional risks, import your own baseline, as well as configure it to notify you of any changes in your Security Score.
Step 1: Return to Health Check
- From the Home Page, open Setup.
- Type Health Check into the Quick Find
- Select Health Check
Step 2: Update Password Policies
- Click Fix Risks
- Select the checkbox next to the Password Policies we’d like to update to select additional security risks
| Select These Settings | Status |
|---|---|
| Require a minimum 1 day password lifetime | Critical |
| Obscure secret answer for password resets | Critical |
| Maximum invalid login attempts | Warning |
| Password complexity requirement | Warning |
| Lockout effective period | Warning |
- Click Change Settings
- Click Yes, Change Settings
Your Security Score and Status in comparison to the Salesforce Baseline Standard have now changed and you have increased your security posture by addressing the risks in your org.
Step 2: Set Up Email Notifications for Score Changes
- Scroll down to Email Notification and click the Disabled toggle to set it to Enabled
- Click + Notify All System Admins
Tip: You can also add additional recipients that you would like to notify when your Security Score changes. Good people to include are members of your IT and Security Teams.
Step 3: Update the Baseline Standard
The settings in Health Check are in line with the Salesforce Baseline Standard, but some of you might work at organizations with a stricter internal security policy. Let’s export the Standard Baseline, make a change to one of our Password Policies, and then upload our new custom baseline to ensure that your score matches your company goals and not just the default ones.
- Click the Settings dropdown next to Salesforce Baseline Standard to access our Baseline Controls
- Click Export Baseline
Tip: On a Windows machine, open the xml file with Notepad.
Tip: On a Mac, open the xml file with TextEdit. If you are having trouble, you can view the xml in a new browser tab OR you can copy/paste into TextEdit from the Workshop Appendix. To edit, click Format and Make Plain Text.
- Make the following changes to the Standard Baseline (found in
<mediumRiskSecuritySettings>)
| Baseline Standard | NEW Standard |
|---|---|
| compliant=”8.0” | compliant=”11.0” |
Your xml should now look like this:
<numericRangeSetting name="PasswordPolicies.minPasswordLength" compliant="11.0" warning="6.0"/>
- Save your xml doc with the title Custom Baseline.xml
- Return to Health Check Baseline Controls
- Click Import Baseline
- Fill in the following details
| Name | Custom Baseline |
|---|---|
| API Name | Custom_Baseline |
| Set as Default Baseline | true |
- Select Choose File and select your Custom Baseline.xml
- Click Import
We purposely fixed security settings by group so that we could understand some of the important changes Health Check was going to make. Using the Fix Risks tool, you can update multiple (or all) security settings all at once. Health Check is designed to help protect your users and external vectors from having too much or inappropriate access to your system. It does not, however, dig into your data for potential vulnerabilities—so let’s look at that next.
Summary
Health Check is more than just a list of security settings. By setting up notifications when your Security Score changes, and importing a custom baseline, Health Check becomes your risk mitigation dashboard and helps admins shift from being reactive with security concerns to having a proactive security strategy. We did this by configuring Password Policies, exporting the Salesforce Baseline Standard and importing a custom baseline, and setting up notifications when our Security Score changes.