You are here:
Limit Login IP Ranges Control
Login IP Ranges at the profile level is to enforce zero trust boundary by restricting Salesforce access to only authorized, company-controlled network environments (like a corporate VPN or office IP).
Control Name
Login IP Ranges in User Profiles
Recommended Configuration
Login IP Ranges is configured in the user profile: Setup Login IP Range for profiles - Setup>Profile>Login IP Ranges.
Control Overview
Login IP Ranges at the profile level is to enforce a zero trust boundary by restricting Salesforce access to only authorized, company-controlled network environments (like a corporate VPN or office IP). This profile & network-layer defense combination makes sure that even if a user’s credentials are stolen, an attacker cannot log in from an external, untrusted location, effectively neutralizing remote unauthorized access attempts.
Security Risk If Not Configured
A compromised password or stolen session token allows attacker to use from any location or device globally. Without Login IP Ranges, you lose the ability to geographically and logically fence your CRM, leaving your data exposed to remote unauthorized access that originates outside of your secured corporate network or VPN.
Threat Scenarios
An attacker with stolen credentials can log in from a foreign IP address or a public Wi-Fi network, bypassing your internal security perimeter entirely. Because there are no Login IP Ranges to block the connection, they can silently exfiltrate sensitive CRM data or change system configurations from anywhere in the world.
Estimated CVSS Score Range
Critical (9.0–10.0).
Risk Impact Considerations
Risk severity depends on the user population size and access privileges granted upon login.
Higher Risk When
User identity verification is not in place (MFA or others) Session is not configured with session controls to limit session, which includes:
- Ineffective Session Timeout Policy
- Overly Permissive Access Scope
Low or No Risk When
This control can be considered low risk when one or more of the following are implemented:
- MFA Enforcement or identity verification is in place: MFA is enforced for Salesforce users
- IP Login Restriction at the network layer: IP Login restriction for users with privileges to modify the setup
- Login timeout: Automatically log users out of the service provider when they log out of Salesforce.
- Single Logout: Single Logout is configured to make sure that all background sessions are logged out after the user has logged out
- Strict Password Policy: Strict password policy in place, which includes frequent password rotation/expiration date
Business and Integration Considerations
Customers should evaluate entry points of their users' endpoints and what data each user profile is exposed to.
Recommended Remediation
Set up login IP ranges for each profile in the org.
Security Health Review Guidance
Security Health Review identifies the platform configuration related to IP ranges. Setup of IP ranges can be configured via the network setup or the org (Trusted IP ranges) or via the profile level (Login IP ranges).
