AggieService Health Check documentation
Below we document the controls in the Salesforce Health Check and our mitigations thereof. Notes will link to sections further down this document. Mitigation categories are:
Accepted: We aren’t changing the setting and understand the risk. Notes section details reasons behind the lack of mitigation
Updated: We’ve updated to standard value. Notes detail whether our new value deviates from the standard value at all.
Deferred: We aren’t changing the setting, but the risk is mitigated elsewhere in the system. Notes details related system and how it addresses the risk
Health Check Findings
STATUS | SETTING | GROUP | YOUR VALUE | STANDARD VALUE | MITIGATION | NOTES |
|---|---|---|---|---|---|---|
Critical | Expired Certificate | 6 | 0 |
|
| |
Critical | Lock sessions to the domain in which they were first used | Disabled | Enabled |
|
| |
Critical | Enable clickjack protection for customer Visualforce pages with standard headers | Disabled | Enabled |
|
| |
Critical | Enable clickjack protection for customer Visualforce pages with headers disabled | Disabled | Enabled |
|
| |
Critical | Require HttpOnly attribute | Disabled | Enabled |
|
| |
Critical | Number of Objects with Default External Access Set to Public | 17 | 0 |
|
| |
Warning | Maximum invalid login attempts | 10 | 3 |
|
| |
Compliant | Number of security risk file types with Hybrid behavior | 0 security risk file types with Hybrid behavior | 0 security risk file types with Hybrid behavior |
|
| |
Compliant | Let users verify their identity by text (SMS) | Enabled | Enabled |
|
| |
Compliant | Enable clickjack protection for Setup pages | Enabled | Enabled |
|
| |
Compliant | Enable clickjack protection for non-Setup Salesforce pages | Enabled | Enabled |
|
| |
Compliant | Enable CSRF protection on GET requests on non-setup pages | Enabled | Enabled |
|
| |
Compliant | Enable CSRF protection on POST requests on non-setup pages | Enabled | Enabled |
|
|
STATUS | SETTING | GROUP | YOUR VALUE | STANDARD VALUE | MITIGATION | NOTES |
|---|---|---|---|---|---|---|
Critical | Require a minimum 1 day password lifetime | Disabled | Enabled |
|
| |
Critical | User passwords expire in | Never expires | 30 days |
|
| |
Critical | Enforce password history | No passwords remembered | 3 passwords remembered |
|
| |
Critical | Force relogin after Login-As-User | Disabled | Enabled |
|
| |
Critical | Enforce login IP ranges on every request | Disabled | Enabled |
|
| |
Critical | Enable XSS protection | Disabled | Enabled |
|
| |
Critical | Enable Content Sniffing protection | Disabled | Enabled |
|
| |
Critical | Administrators Can Log in as Any User | Enabled | Disabled |
|
| |
Warning | Password complexity requirement | Must include alpha and numeric characters | Must include alpha, numeric, and special characters |
|
| |
Compliant | Minimum password length | 8 characters | 8 characters |
|
| |
Compliant | Enable Content Security Policy protection for email templates | Enabled | Enabled |
|
|
STATUS | SETTING | GROUP | YOUR VALUE | STANDARD VALUE | MITIGATION | NOTES |
|---|---|---|---|---|---|---|
Critical | Force logout on session timeout | Disabled | Enabled |
|
| |
Critical | Require identity verification for email address changes | Disabled | Enabled |
|
| |
Warning | Lockout effective period | 15 minutes | 30 minutes |
|
| |
Warning | Session Timeout | 8 hours | 15 minutes |
|
| |
Compliant | Remote Site Settings | No remote sites with the Disable Protocol Security option selected | No remote sites with the Disable Protocol Security option selected |
|
| |
Compliant | Obscure secret answer for password resets | Enabled | Enabled |
|
| |
Compliant | Password question requirement | Cannot contain password | Cannot contain password |
|
| |
Compliant | Require identity verification during multi-factor authentication (MFA) registration | Enabled | Enabled |
|
|
STATUS | SETTING | GROUP | YOUR VALUE | STANDARD VALUE | MITIGATION | NOTES |
|---|---|---|---|---|---|---|
Warning | Key Size | 2048 | 4096 |
|
| |
Compliant | Certificate Expiration | 263 days | 179 days |
|
|
Notes
Change History
| Version | Date | Comment |
|---|---|---|
| Current Version (v. 4) | Aug 16, 2022 17:30 | Jose Boveda |
| v. 3 | Aug 16, 2022 17:29 | Jose Boveda |
| v. 2 | Aug 16, 2022 17:24 | Jose Boveda |
| v. 1 | Aug 16, 2022 17:16 | Jose Boveda |