MC382484: Microsoft Secure Score is adding new improvement actions for Salesforce and ServiceNow

We’re updating Microsoft Secure Score improvement actions to ensure a broader coverage of security posture. This update will include new controls for Salesforce and ServiceNow posture as a Microsoft Secure Score improvement action. We will continue to add suggested security improvement actions on an ongoing basis.

Please be advised that these new improvements actions will require a Salesforce/ServiceNow configured connector via Defender for Cloud Apps. For more information, please see: Connect Salesforce to Defender for Cloud Apps | Microsoft Docs or Connect ServiceNow to Defender for Cloud Apps | Microsoft Docs.

When this will happen

Preview: will begin rolling out in mid-June and is expected to be complete in late June.

How this will affect your organization

The following improvement actions will be added to Microsoft Secure Score:

Saleforce

• Require identity verification during multi-factor authentication (MFA) registration
• Lock sessions to the domain in which they were first used
• Let users verify their identity by text (SMS)
• Enable clickjack protection for Setup pages
• Enable clickjack protection for non-Setup for Salesforce pages
• Enable clickjack protection for customer VisualForce pages with standard headers
• Enable clickjack protection for customer VisualForce pages with headers disabled
• Enable CSRF protection on GET requests on non-setup pages
• Enable CSRF protection on POST requests on non-setup pages
• Require HttpOnly attribute
• Maximum invalid login attempts
• Require a minimum 1 day password lifetime
• Force (admin) relogin after Login-As-User
• Enforce login IP ranges on every request
• Enable Content Security Policy protection for email templates
• Enable XSS protection
• Enable Content Sniffing protection
• Disable Administrators Can Log In As Any User
• Enforce password history
• Minimum password length
• User passwords expire in 90 days or less
• Password complexity requirement
• Obscure secret answer for password resets
• Force logout on session timeout
• Require identity verification for change of email address
• Password question requirement to not contain password
• Session timeout
• Lockout effective period
• Disable Caching and Autocomplete on Login Page via Session settings

ServiceNow

• Enable high security plugin
• Enable enforcing JSONv2 requests with basic authorization
• Enable enforcing SOAP requests with basic authorization
• Enable Contextual Security: Role Management plugin
• Enable default deny with new ACL rules
• Apply access control rule (ACL) validation when server-side records are accessed using GlideAjax APIs within a client script
• Activate the Explicit Role plugin
• Set client-callable script includes to private
• Enable script request authorization
• Activate security jump start (ACL rules) plugin
• Enable SOAP content type checking
• Enable unload request authorization
• Set default cache-control HTTP header value to private
• Set default cache-control HTTP header value to private
• Enable absolute session timeout
• Enable anti-CSRF token
• Disable password-less authentication
• Enable multi-factor authentication
• Enable Password Reset Policy Checks
• Enable managing failed login attempts
• Enable session activity timeout
• Enable client generated scripts sandbox
• Enable SOAP request strict security

What you need to do to prepare

To prepare for this change, you are required to connect your Microsoft Defender for Cloud Apps to your Salesforce/ServiceNow (for more information, please see Connect Salesforce or Connect ServiceNow). Microsoft recommends reviewing the improvement actions listed in Microsoft Secure Score.

Message ID: MC382484
Published: 20 May 2022
Updated: 20 May 2022