Use Health Check to Scan Your Security Configurations

Learning Objectives

After completing this unit, you’ll be able to:

  • Run a security health check on your own org.
  • Describe what your summary score says about your org’s security health.
  • Identify the Tooling API objects that allow you to get Health Check information.
Note

To complete this unit, make sure that you have the “View Setup and Configuration” and “Manage Password Policies” user permissions.

Ever Wish You Had a Dashboard to Assess Your Security Settings?

We have good news — you do! It’s called Health Check, and it's available in Setup. As an admin, you can use Health Check to improve your org’s overall security and even improve your score with one click. You can even run it before you’re done with this module! Don’t worry, we’ll wait here until you're done.

Health Check gives you visibility into all of your org's security settings and allows you to identify and fix vulnerabilities in your security settings, all from a single page. A score shows how "healthy" your org's security is, on a scale from 0-100 (100 being the most secure). The score is calculated by measuring how closely your org's security settings (the Your Value column) align with Salesforce's recommended settings (the Standard Value column).

Screenshot of the Health Check user interface, showing a grade of 79% Good

Typically, if you change your settings to be more restrictive, your score increases. For example, suppose you changed the minimum required length of your passwords from eight characters to 16, and reduced the limit for invalid login attempts. These changes make your users’ accounts less vulnerable to password hacking and brute force attacks, and increases the security of your org. 

Identify and Fix Security Risks in Your Org

Now that you're aware of Health Check's capabilities, let's try it out. 

  1. Log into your Salesforce org
  2. Go to the Setup page.
  3. In the Quick Find box type Health Check (or scroll down the Setup menu to Security Settings)
  4. Select Health Check.

Each setting has an Edit link next to it that takes you to the page where you can adjust the setting to the standard value. For reference, standard values are listed in Health Check. You can also click the Fix Risks button in Health Check to change all settings to the recommended value at once! Be aware that changing all of these settings at once may affect something unintended like an integration or accidentally remove access for some users — so when adjusting user visibility and access, we recommend testing changes in your sandbox first. In either case, it's best to go through these one at a time.

Screenshot of the Fix Security Risks screen within Health Check, showing a list of critical security settings

Custom Baselines

Health Check is set up to automatically measure your org's security against the Salesforce baseline (called Stand Values in the tool), but you can also import your own baseline for a more customized view of security. These are called Custom Baselines in the tool and you can add them by simply importing an XML file. 

Why would an admin want to add a custom baseline? This might be useful for an admin who works in a highly regulated industry — like finance or healthcare — and has to meet very strict compliance requirements that differ from the security industry standard. We recommend aligning with your IT or Compliance team before importing a custom baseline to Health Check.

Here’s a video showing an example of improving your Health Check score.

View Security Across Multiple Orgs with Security Center and Optimizer

If you run a Salesforce environment with multiple orgs, you can use the power of Health Check across all of your orgs with Salesforce's Security Center. This tool is an add-on and not available out of the box like Health Check, but has a deeper level of capabilities that span multiple orgs. 

Security Center also provides important insights for admins like how many users are logging in with multi-factor authentication (MFA) and which users have admin-level permissions. Salesforce Optimizer also includes some of these capabilities, and is available at no cost in products built on the Salesforce platform. 

Note

To get Health Check information through the API, you need command line and administrative access to your Salesforce application.

Resources

Keep learning for
free!
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities