Protect Your Salesforce Implementation and Give Your Users the Freedom They Want

By

Using login IP Range Restrictions to Prevent Unauthorized Access to Your Orgs

Everyone today has come to expect a high level of flexibility in how and where they work, whether it is the devices they use or the locations they work from. In the case of Salesforce users, these expectations are even more intense. Admins often feel the tension between increasing the security controls for their Salesforce implementation, while giving their users the freedom they want. We live in a mobile and social world so you need to respond to customers anytime, anywhere.

Given this ever changing device landscape, we strongly encourage that customers partner with us to help prevent unauthorized access to their Salesforce orgs. Protecting customer data is our first priority, and that is why we constantly update and improve security with each release. But, as a Salesforce admin, there are features built into the platform that you have the opportunity to enable to make the experience as secure as possible for your unique Salesforce users.

Today let’s focus on one of the key features that we at Salesforce highly recommend our customers enable, called Login IP Range restrictions.

What are login IP range restrictions and why should I care?

First, the basics: An IP address (Internet Protocol address) refers to a numerical identifier for each device on a network that communicates with other devices over the Internet. The IP address serves both as an “address” that shows the location of particular device, and also as an identifier of the device when it interfaces with the host network. I didn’t lose you yet right? So think of an IP like the address of your house.

Login IP range restrictions limit unauthorized access to Salesforceby requiring users to login to Salesforce from designated IP addresses—typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access. Those who try to login to Salesforce from outside the designated IP addresses will not be granted access.

Here’s an example. If your business is located in New York and San Francisco, you can restrict logins to your Salesforce org from those two geographic locations. If an unauthorized third party located in Europe steals one of your employee’s credentials via phishing or other attack methods, the third party may attempt to login to your org using these credentials. However, if you have Login IP Range restrictions enabled, when the attacker tries to login from an untrusted IP address from their location in Europe, they will be denied access, even if they have the correct credentials.

This security control becomes more effective the more granular you make it. If you set this control to all logins from all North America and the attackers are also located in North America, it will not work effectively. The most effective way to implement Login IP range restrictions is to identify appropriate login ranges for each profile type and ensure that those profiles are correctly assigned to the right users. For instance, your call center representatives may have one set of IP ranges located in your office in New York, while your sales representatives may need more permissive IP range restrictions to allow them to work while traveling.

Org level vs Profile level settings

Salesforce has two levels of granularity that can be used when applying login IP range restrictions. The first is at the Org level. Org level Trusted IP Ranges require users to login to Salesforce from designated IP addresses—typically your corporate network or VPN. These are IP addresses from which users can login without receiving a login challenge. However, this does not restrict access, entirely, for users outside of the Trusted IP Range. After these users complete the login challenge (usually by entering a code sent to their mobile device or email address), they can log in.

This is how you do it: https://help.salesforce.com/apex/HTViewHelpDoc?id=security_networkaccess.htm&language=en_US

The second level of granularity is profile-based login IP range restrictions. For Enterprise, Performance, Unlimited, Developer, and Database.com editions, you can set the Login IP Range addresses from which users can log in on an individual profile. Users outside of the Login IP Range set on a profile cannot access your Salesforce organization.  If you are using Enterprise, Unlimited, Performance, or Developer editions, you can configure Login IP Ranges under Manage Users > Profiles. More here:

For Contact Manager, Group, and Professional Editions, you can set the Login IP Range in Setup, Security Controls | Session Settings.

When should you consider implementing Login IP range restrictions?

Even if your users have their Salesforce credentials stolen, having login IP range restrictions enabled will protect your salesforce organization from unauthorized access. We highly recommend that org-wide Trusted IP Ranges be set for all users in your organization. Profile- based IP range restrictions require more fine tuning, and while it is good to have for as many users as possible in your organization, we most highly recommend it for folks in your company who have access to lots of data, such as admins. This is a good feature to enable if you have users working in one set of expected locations.

Login IP Ranges and your global travelers or remote employees

If you have users who travel or work remote but do not use Salesforce1 mobile you will need to consider ways of incorporating the IP ranges that they may use. The most secure way of accessing your Salesforce organization outside of a corporate network is via VPN. Once your users login to your company’s VPN they will connect with previously approved IP addresses. Realistically, the use of login IP range restrictions while traveling becomes more difficult without the use of a VPN, and we recommend evaluating the use of one for your company.  For remote employees, if they consistently connect from the same set of IP addresses, it is possible to create profiles that allow login from these IP addresses and assign it to the relevant users.

Implementing Login IP Ranges with SSO

Login IP range restrictions are compatible with your company’s SSO/SAML-authentication system. If your SSO provider already has IP range restrictions in place, you may not need to enable them for your Salesforce organization. However, it may be worth checking to see the granularity of the IP range restrictions at the SAML-level and you may consider adding profile-based restrictions for each user in your Salesforce org.

Need help? You can refer to the following two resources for more information:

Users May Come and Go, But Their Records Must Live On….

These days people change jobs more than ever. And this means that your Salesforce users are constantly changing and shifting – folks leaving the company and new users being added when you add licenses or new services. As an Admin what do we do about deactivating users who leave the company? In this moment when […]

READ MORE

Why Relying on “Password123” Won’t Cut It

In the wild west of Internet security, enabling two factor authentication is the closest thing you can do to making your accounts hacker proof. In this post, I will walk you through why two factor authentication (“2FA”, and also known as two-step verification) enhances security and how you can set it up to make yourself […]

READ MORE