!

SERVICENOW)INSTANCE)HARDENING)
Customer!Security!Document!

Managed!Document!#:!11081!

HI!Knowledge!Base!#:!KB0536146!

Effective!date:!July!14,!2014!

Version:!2.0!
!

©!COPYRIGHT!2014!SERVICENOW,!INC.!ALL!RIGHTS!RESERVED!
!
3260!Jay!Street,!Santa!Clara,!CA!95054,!USA!
!
This!document!may!not,!in!whole!or!in!part,!be!copied,!photocopied,!reproduced,!translated,!or!reduced!to!any!electronic!medium!or!machineRreadable!
form!without!prior!consent!in!writing!from!ServiceNow,!Inc.!
!
Every!effort!has!been!made!to!ensure!the!accuracy!of!this!document.!However,!ServiceNow,!Inc.,!makes!no!warranties!with!respect!to!this!document!and!
disclaims!any!implied!warranties!of!merchantability!and!fitness!for!a!particular!purpose.!ServiceNow,!Inc.,!shall!not!be!liable!for!any!error!or!for!incidental!
or!consequential!damages!in!connection!with!the!furnishing,!performance,!or!use!of!this!document!or!examples!herein.!The!information!in!this!document!
is!subject!to!change!without!notice.!
!
TRADEMARKS)
ServiceNow!and!the!ServiceNow!logo!are!trademarks!of!ServiceNow,!Inc.,!in!the!United!States!and!certain!other!jurisdictions.!ServiceNow,!Inc.,!also!uses!
numerous!other!registered!and!unregistered!trademarks!to!identify!its!goods!and!services!worldwide.!All!other!marks!used!herein!are!the!trademarks!of!
their!respective!owners,!and!ServiceNow,!Inc.,!claims!no!ownership!in!such!marks.!
!
Managed!Document!#:!11081! ServiceNow)Confidential! Page:!1!of!19!
 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Table)of)Contents)
1)ServiceNow)Security)Hardening).....................................................................................................................)4!
1.1!General!Security!Best!Practice!............................................................................................................................!4!
1.1.1!Change!Default!Credentials!..............................................................................................................................!4!
1.1.2!Remove!Credentials!From!Welcome!Page!.......................................................................................................!5!
1.1.3!Individual!Login!IDs!..........................................................................................................................................!5!
1.1.4!Contextual!Security!Plugin!...............................................................................................................................!5!
1.1.5!TLS/SSL!Certificates!..........................................................................................................................................!5!
1.1.6!Event!Monitoring!.............................................................................................................................................!5!
1.1.7!Patches!and!Updates!........................................................................................................................................!6!
2)ServiceNow)Security)Plugins)..........................................................................................................................)6!
2.1!IP!Address!Restrictions!Plugin!.............................................................................................................................!6!
2.1.1!Restrict!Access!to!Specific!IP!Ranges!................................................................................................................!6!
2.2!SNC!Access!Control!Plugin!...................................................................................................................................!7!
2.3!Security!Jump!Start!R!ACL!Rules!...........................................................................................................................!7!
2.4!High!Security!Plugin!.............................................................................................................................................!7!
2.4.1!Authentication!&!Authorization!Settings!.........................................................................................................!8!
2.4.2!Content!&!Input!Validation!..............................................................................................................................!8!
2.4.3!Session!Management!.......................................................................................................................................!9!
3)Additional)System)Properties).......................................................................................................................)10!
3.1!Authentication!and!Authorization!.....................................................................................................................!11!
3.1.1!Performance!Monitoring!ACL!.........................................................................................................................!11!
3.2!Session!Management!........................................................................................................................................!11!
3.2.1!Session!Activity!Timeout!................................................................................................................................!11!
3.2.2!Cookies!–!HTTP!Only!......................................................................................................................................!12!
3.2.3!Secure!Session!Cookie!....................................................................................................................................!12!
3.2.4!Managing_Failed_Login_Attempts!................................................................................................................!13!
3.3!Content!&!Input!Validation!...............................................................................................................................!13!
3.3.1!Enable!File!Download!Restrictions!.................................................................................................................!13!
3.3.2!Specify!Downloadable!File!Types!...................................................................................................................!14!
3.3.3!Browser!Rendering!Restrictions!(MIME!Type)!...............................................................................................!14!
3.3.4!Restrict!Instance!Root!Directory!Uploads!......................................................................................................!15!
3.3.5!Limit!Root!Directory!File!Types!(MIME!Types)!...............................................................................................!15!
3.3.6!Encryption!......................................................................................................................................................!16!
4)Access)Control)(ACL)).....................................................................................................................................)16!
5)Authentication)and)Password)Rules).............................................................................................................)16!
5.1!Enforce!Strong!Passwords!.................................................................................................................................!17!
6)Document)Control)Information)....................................................................................................................)17!
6.1!References!.........................................................................................................................................................!17!
6.2!Document!Control!.............................................................................................................................................!18!
Managed!Document!#:!11081! ServiceNow)Confidential! Page:!2!of!19!
 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

6.3!Revision!History!.................................................................................................................................................!18!
)

List)of)Tables)
Table!1.!Authentication!&!Authorization!Settings!....................................................................................................!8!
Table!2.!Content!&!Input!Validation!.........................................................................................................................!9!
Table!3.!Session!Management!................................................................................................................................!10!
Table!4.!Document!Control!.....................................................................................................................................!18!
Table!5.!Revision!History!.........................................................................................................................................!19!
!

! )

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!3!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

1 ServiceNow)Security)Hardening)
ServiceNow!has!an!extensive!configuration!capability!documented!on!its!wiki.!The!majority!of!the!security!
content!can!be!accessed!at!the!links!found!on!the!Security!section!of!SeviceNow’s!wiki.!The!following!sections!
document!some!of!the!key!settings!and!configurations!that!can!be!made!to!ServiceNow!instances,!in!respect!of!
security.!

1.1 General)Security)Best)Practice)
This!section!contains!some!general!security!best!practices!for!locking!down!your!ServiceNow!instance.!

1.1.1 Change)Default)Credentials)
Immediately!change!the!default!“admin”,!“itil”,!and!“employee”!credentials.!
1. Login!with!the!username!“admin”!and!the!password!“admin”!
2. Under!System!Security!R>!Users!and!Groups,!Click!“Users”!
3. Search!for!the!user!with!a!User!ID!of!“admin”!and!a!Name!of!“System!Administrator”.!Click!the!on!the!
“admin”!User!ID!to!modify!the!user’s!settings!

!
4. Modify!the!Email!field!to!reflect!a!valid!email!address!for!that!user.!
5. Select!the!“Password!needs!reset!box”.!!
6. Click!Update.!

!
7. Logout!and!login!again.!You!will!be!prompted!to!set!a!new!password.!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!4!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

!
8. Repeat!steps!3!through!7!for!“itil”!and!“employee”!accounts.!

1.1.2 Remove)Credentials)From)Welcome)Page)
The!default!content!on!the!welcome!page!should!be!changed!to!remove!the!default!credentials.!In!System!UI!R>!
Welcome!Page!Content,!find!the!two!sections!with!a!short!description!of!“How!To!Login”!and!change!their!
Active!state!from!true!to!false.!

1.1.3 Individual)Login)IDs)
Ensure!all!users!have!individual!user!IDs.!This!allows!auditing!of!all!user!activities.!

1.1.4 Contextual)Security)Plugin)
Verify!the!Contextual!Security!plugin!is!active.!In!the!System!Definition!R>!Plugins!module,!search!for!the!
Contextual!Security!Plugin.!

1.1.5 TLS/SSL)Certificates)
If!you!are!utilizing!LDAP!integration!for!authentication,!connecting!via!web!services,!or!utilizing!a!MID!server!
please!refer!to!Uploading!a!Certificate!for!details!on!uploading!a!certificate!and!configuration!details.!Web!
service!mutual!authentication!is!recommended!when!accessing!ServiceNow!web!services.!

1.1.6 Event)Monitoring)
Ensure!that!a!schedule!for!monitoring!system!events!including!login!and!failed!logins.!These!can!be!accessed!
through!System!Logs!R>!Events.!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!5!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

1.1.7 Patches)and)Updates)
Ensure!that!the!instance!is!running!the!most!current!patch!level.!ServiceNow!releases!security!fixes!within!many!
of!the!patches!and!hot!fixes!that!it!releases!along!with!product!feature!updates.!Patching!when!new!patches!and!
hot!fixes!are!available!will!reduce!vulnerability!to!security!issues.!ServiceNow!undergoes!two!penetration!tests!
per!week!on!average!and!while!most!of!these!don’t!result!in!significant!vulnerabilities!there!are!vulnerabilities!
being!found!and!fixed!on!a!regular!basis.!Information!on!ServiceNow!releases,!patches!and!hot!fixes!can!be!
found!on!the!Release!Notes!section!of!the!wiki.!!

2 ServiceNow)Security)Plugins)

2.1 IP)Address)Restrictions)Plugin)
ServiceNow!has!the!capability!of!restricting!access!based!on!the!IP!address!the!client.!Any!client!not!originating!
from!the!allowed!IP!address!range!will!be!unable!to!access!the!URL.!Please!see!IP!Based!Access!Controls!for!
details!of!the!operation!of!this!plugin.!

2.1.1 Restrict)Access)to)Specific)IP)Ranges)
Unless!the!ServiceNow!instance!is!intentionally!public,!administrators!should!limit!access!to!their!ServiceNow!
instance!to!their!assigned!IP!net!blocks.!The!example!below!details!how!to!add!IP!restrictions.!!
1. Elevate!your!privileges!to!the!“security_admin"!user!by!clicking!on!the!lock!next!to!the!“Welcome:!
[Username]”!message.!
2. In!the!System!Security!Section,!click!on!the!IP!Access!Control!link.!
3. Click!the!New!Button!to!add!an!IP!ACL!entry.

!
Managed!Document!#:!11081! ServiceNow)Confidential! Page:!6!of!19!
 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

4. Add!IP!start!and!end!range:!

!
5. Click!Submit.!

2.2 SNC)Access)Control)Plugin)
The!SNC!Access!Control!plugin!allows!customers!to!control!access!by!ServiceNow!customer!support!to!their!
instances.!The!default!configuration!for!ServiceNow!is!that!support!can!access!a!customer’s!instances!through!an!
internal!process!that!creates!a!shortRterm!support!credential.!Although!all!access!is!audited,!some!customers!
prefer!this!access!to!control!this!access.!
The!SNC!Access!Control!plugin!can!control!this!access!however!it!does!have!some!implications!on!support!SLAs!
as!customers!must!allow!ServiceNow!access!prior!to!being!able!to!support!activities!to!commence.!Please!see!
ServiceNow!Access!Control!for!more!information.!

2.3 Security)Jump)Start)Z)ACL)Rules)
The!Security!Jump!Start!(ACL!Rules)!Plugin!is!installed!automatically!on!all!new!instances.!These!rules!were!
written!to!provide!a!jumpRstart!on!securing!many!system!tables,!to!make!it!easier!for!an!organization!to!more!
quickly!get!into!production.!
This!plugin!is!not!intended!for!existing!instances,!as!it!might!modify!security!access!to!tables!that!are!already!in!
use!in!a!production!environment.!If!an!admin!is!interested!in!the!new!ACL!rules!provided!by!this!plugin,!one!or!
more!of!them!may!be!created!manually!in!an!existing!instance!as!specific!needs!dictate.!This!list!of!ACLs!may!be!
used!as!a!guideline!in!that!case.!Should!an!admin!strongly!want!this!plugin!installed!on!an!existing!instance,!we!
highly!recommend!the!plugin!be!tested!extensively!in!a!test!instance!first,!to!ensure!that!the!rules!do!not!
conflict!with!the!operational!needs!of!the!organization's!current!implementation.!Please!see!Security!Jump!
StartRACL!Rules!for!more!information.!

2.4 High)Security)Plugin) )
The!high!security!plugin!was!added!to!ServiceNow!prior!to!the!release!of!Aspen!at!the!beginning!of!2012.!It!is!
important!to!note!that!all!new!instances!are!activated!with!this!plugin!activated.!If!your!instance!was!upgraded!
from!a!release!prior!to!Aspen,!the!plugin!will!be!disabled.!
The!details!of!the!high!security!plugin!are!located!on!the!ServiceNow!wiki!at!High!Security!Settings.!Although!this!
link!fully!describes!the!capabilities!we!have!included!an!overview!below.!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!7!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

2.4.1 Authentication)&)Authorization)Settings)
The!authentication!and!authorization!session!should!include!all!settings!specific!to!what!users!of!the!instance!
prove!or!must!be!of!a!role!that!is!capable!of!executing!a!defined!action.!
Name) Description) Default)Value) Recommended)Value)

Authorization!Checks) Require!basic!authentication!for!incoming!
XML,!XSD,!WSDL,!CSV,!Excel,!PDF,!RSS,! Yes! Yes!
! Import,!Script,!and!Unload!requests.!

Web!services!can!connect!via!a!service!
Web!Services!Authorization! account!to!perform!basic!functions.!This!
Checks! setting!requires!basic!authorization!for! Yes! Yes!
incoming!SOAP!and!JSONv2!requests!

Enforce!strict!security!on!incoming!SOAP!
requests.!Checking!this!requires!incoming!
SOAP!requests!to!go!through!the!security!
manager!for!table!and!field!access,!as!well!as!
Strict!SOAP!Security! Yes! Yes!
checking!SOAP!users!for!the!correct!roles!for!
using!the!web!service.!More!information!can!
be!found!in!the!documentation!for!the!
Contextual!Security!Plugin!and!Web!Services.!

SMTP!server!requires!username!and!
SMTP!Authentication! No! Yes!
password!authentication!

Double!check!security!on!inbound!
Strict!Authorization!Checks! transactions!during!form!submission!(rights! Yes! Yes!
are!always!checked!on!form!generation)!

Table)1.) Authentication)&)Authorization)Settings)
2.4.2 Content)&)Input)Validation)
The!controls!within!the!input!and!content!validation!section!define!and!restrict!what!a!user!may!enter!into!a!
script,!request,!or!form!field!within!the!application.!
Recommended)
Name) Description) Default)Value)
Value)

Escape!XML!values!at!the!parser!level!for!the!user!
Escape!XML!Input! interface.!!This!will!prevent!reflected!and!stored!crossR Yes! Yes!
site!scripting!attacks.!

Escape!HTML!Input! Escape!HTML!for!HTML!fields!in!a!list!view.! Yes! Yes!

Forces!all!scripts!injected!in!Jelly!to!be!escaped!by!
Escape!Scripting!Input! No! Yes!
default.!Use!noesc:!to!preserve!special!characters.!

Enforce!relative!links!from!the!URI!parameter!on!
/ess/catalog.do.!If!checked,!then!only!relative!URLs!are!
permitted!through!the!/ess/catalog.do!page!using!the!
URI!Relative!Links! No! Yes!
parameter!'uri'.!If!unchecked,!all!URLs!are!permitted,!
which!may!permit!linking!to!external!unauthorized!
content.!

Same!Origin!Policy!
Enable!this!property!to!set!the!XRFrameROptions!response!
header!to!SAMEORIGIN!for!all!UI!pages.!!The!XRFrameR
Yes! Yes!
Options!HTTP!response!header!can!be!used!to!indicate!
whether!or!not!a!browser!should!be!allowed!to!render!a!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!8!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

page!in!a!<frame>!or!<iframe>.!Sites!can!use!this!to!avoid!
clickjacking!attacks,!by!ensuring!that!their!content!is!not!
embedded!into!other!sites.!More!information!is!available!
on!the!Mozilla!Developer!Network.!!

Check!conditions!on!UI!actions!before!execution,!
JavaScript!PreRProcessing! normally!the!conditions!are!only!checked!during!form! Yes! Yes!
rendering.!

A!list!of!comma!separated!attachment!mime!types!that!
do!not!render!inline!in!the!browser.!This!will!prevent!
MIME!Type!Rendering! crossRsiteRscripting!attacks.!For!example,!text/html!will! (empty)! text/html!
force!html!files!to!be!downloaded!to!the!client!as!
attachments!rather!than!viewed!inline!in!the!browser.!

Run!client!generated!scripts!(AJAXEvaluate!and!query!
conditions)!inside!of!a!reduced!rights!"sandbox".!If!
AJAX!Sandbox! enabled,!only!those!business!rules!and!script!includes! Yes! Yes!
with!the!"Client!callable"!checkbox!set!to!“true”!become!
available!and!certain!backRend!API!calls!are!disallowed.!

Disallow!HTML!Code! Allow!support!for!embedding!HTML!code!by!using!the!
Samples! [code]!tag.! No! No!

JavaScript!Code!Tags!in!
HTML!Samples! Allow!embedded!HTML!(using![code]!tags)!to!contain!
JavaScript!tags.! No! No!
!

Allow!browsers!to!use!autocomplete!on!password!fields!
Disable!Autocomplete! No! No!
on!login!forms.!

Disable!AJAXEvaluate! Enable!the!AJAXEvaluate!processor.! No! No!

AJAX!Sandbox!no!logging! Specifies!whether!to!block!the!log(),!logError(),!and! No! Yes!

logWarning()!methods!when!running!script!from!the!
sandbox.!

Table)2.) Content)&)Input)Validation)
2.4.3 Session)Management)
Session!management!features!are!a!category!containing!attributes!or!restrictions!on!user!sessions!to!a!given!
instance.!
Name) Description) Default)Value) Recommended)Value)

Remove!"Remember!me"!checkbox!from!
Disable!“Remember!Me”! No! Yes!
login!page.!

Rotate!HTTP!session!identifiers!to!reduce!
Rotate!Session!IDs! security!vulnerabilities.!NOTE:!Unless!using! Yes! Yes!
SSO,!this!feature!is!enabled!by!default.!

Secure!Session!Cookies!
Enable!secure!session!cookies:!Enable!
additional!cookie!security.!If!checked,!strict!
session!cookie!validation!is!enforced.!With! Yes! Yes!
version!3!cookies!enabled,!additional!security!
requirements!are!also!enforced.!

AntiRCSRF!Token! Enable!usage!of!a!secure!token!to!identify! Yes! Yes!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!9!of!19!
 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

and!validate!incoming!requests.!!This!token!is!
used!to!prevent!crossRsite!request!forgery!
attacks.!

Strict!CSRF!Validation! When!it!is!set!to!true,!it!enforces!CSRF!token! No! Yes!

strict!validation!that!does!not!allow!resubmit!
the!request!if!CSRF!token!does!not!match.!
Table)3.) Session)Management)

3 Additional)System)Properties)
This!section!contains!some!general!security!configurations!that!can!be!applied!to!ServiceNow!to!provide!
additional!security!over!the!default!configuration.!Many!of!the!security!features!are!activated!using!system!
properties.!If!new!properties!need!to!be!added!please!follow!the!guide!that!can!be!found!at!Adding!a!Property!
on!the!ServiceNow!wiki.!
Follow)these)steps)for)adding)a)system)property.)Repeat)steps)3Z5)for)additional)system)properties.)
1. Log!into!the!instance!as!a!user!with!“Admin”!role!privileges.!
2. Type!sys_properties.list!in!the!Type)filter)text!textbox!in!the!left!hand!top!corner!of!the!instance.!

!
3. Once!the!page!redirects!to!the!System!Properties!page,!create!a!new!entry!by!clicking!the!New!Button.!

!
4. Add!Description,!Property!Name,!Type!and!Value.!The!choice!field!is!used!for!the!Choice!List!Type.!!
5. NOTE:!The!property!name!value!must!be!entered!exactly!as!defined!in!this!document.!!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!10!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

!
6. !Click!Submit!to!save!the!current!record!in!the!System!Properties!table.!

3.1 Authentication)and)Authorization)
3.1.1 Performance)Monitoring)ACL))
Description:)When!set!to!‘true’!this!property!only!allows!access!to!
https://instancename.servicenow.com/stats.do!and!https://instancename.servicenow.com/threads.do!by!the!
administrator!account.!Without!this!setting!enabled!it!is!possible!to!access!stats.do!and!threads.do!from!an!
unauthenticated!connection.)
Property)Name:)glide.security.diag_txns_acl)
Type:)True!|!False!
Value:!True!
Release:!All!supported!versions!of!ServiceNow.

3.2 Session)Management)
3.2.1 Session)Activity)Timeout)
Description:)This!setting!contains!the!value!in!minutes!of!timeout.!It!is!important!to!note!that!this!is!an!activity!
timeout.!
NOTE:!If!there!are!gauges!or!content!on!users’!home!pages!that!refreshes!automatically,!then!this!timeout!may!
never!be!reached.!)
Property)Name:)glide.ui.session_timeout!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!11!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Type:)Integer)
Value:)User1Specified1Timeout1In1Minutes1(60!minutes!is!the!recommended!value,!but!this!may!vary!depending!
on!functionality!and!security!requirement.!It!is!not!recommended!to!set!this!to!more!than!one!day.)!
Release:)This!is!present!in!all!available!releases.!

!
3.2.2 Cookies)–)HTTP)Only)
Description:)When!set!to!‘true’!prevents!access!to!cookies!from!within!the!browser!preventing!the!ability!of!
scripts,!including!a!CrossRSite!Scripting!attack,!to!access!a!session!cookies.)
Property)Name:)glide.cookies.httponly!
Type:)True!|!False!
Value:)True)
Release:)All!releases!of!Berlin!and!subsequent!major!platform!versions.!

)
Release:)This!is!available!in!all!releases!of!Berlin!and!subsequent!major!platform!versions.!
3.2.3 Secure)Session)Cookie)
Description:)When!set!to!‘true’!prevents!access!to!session!information!within!a!cookie.)
Property)Name:)glide.cookies.secure!
Type:)True!|!False)
Value:)True

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!12!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Release:)This!is!available!in!all!releases!of!Berlin!and!subsequent!major!platform!versions.!

)
3.2.4 Managing_Failed_Login_Attempts)
Overview)
Two!inactive!Script!Actions!are!provided!that!allow!a!site!to!manage!the!number!of!times!a!user!can!fail!to!provide!the!
correct!password!before!getting!locked!out!from!the!system.!
From!the!left!navigation!pane,!select!System)Policy)>)Script)Actions!to!see/activate!them.!
SNC)User)Clear!R!updates!the!user!record!upon!a!successful!login,!resetting!the!number!of!failed!attempts!and!updating!the!
date!of!the!last!login!
SNC)User)Lockout)Check!R!keeps!track!of!the!number!of!failed!login!attempts!and!will!lock!the!user!out!after!5!failed!
attempts!(change!the!number!as!desired)!
Viewing)Failed)Login)Attempts)
Attempts!at!logging!in!are!captured!as!part!of!the!Event!Logs!(System)Policy)>)Event)Logs).!Here!you!may!filter!for!
"login.failed"!in!the!name!field!and!view!the!attempted!login!name,!date,!and!IP!address!logged!from!the!attempt.!

3.3 Content)&)Input)Validation)

3.3.1 Enable)File)Download)Restrictions)
Description:)When!set!to!‘true’!turns!on!the!ability!to!restrict!the!types!of!files!that!can!be!download,!when!they!
have!been!uploaded!using!the!Upload!File!functionality!of!the!platform.!Used!in!conjunction!with!
glide.ui.strict_customer_uploaded_content_types!(see!3.3.2!below))
Property)Name:)glide.ui.strict_customer_uploaded_static_content!
Type:)True/False)
Value:!True

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!13!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Release:)Available!in!Berlin!Patch!5!and!subsequent!major!platform!versions!

3.3.2 Specify)Downloadable)File)Types)
Description:)When!the!glide.ui.strict_customer_uploaded_static_content_types!parameter!includes!a!list!of!
comma!delimited!files.!These!will!be!the!only!file!types!that!can!be!downloaded!as!static!content!from!an!
instance.!!
NOTE:!If!the!glide.ui.strict_customer_uploaded_static_content!property!(see!3.3.1!above)!is!set!to!‘true’!but!
values!are!not!specified!in!glide.ui.strict_customer_uploaded_static_content_types,!then!the!default!types!of!
ico,gif,png,jpg,jpeg,bmp!will!be!the!only!downloadable!file!types.)
Property:)glide.ui.strict_customer_uploaded_content_types!
Type:)String)
Value:)User1Specified)(Common:!doc,!docx,!xls,!xlsx,!pdf!etc.))
If!Value!is!Blank:)ico,gif,png,jpg,jpeg,bmp!
Release:)Available!in!Berlin!Patch!5!and!subsequent!major!platform!versions)

3.3.3 Browser)Rendering)Restrictions)(MIME)Type))
Description:)This!parameter!is!a!commaRdelimited!list!of!MIME!file!types.!This!list!affects!the!behavior!of!files!
when!downloaded!from!a!ServiceNow!instance.!Normally!when!a!file!is!downloaded!it!can!either!be!saved!or!
opened.!If!the!file!type!is!opened!it!will!be!executed.!For!example!if!either!of!the!MIME!types!‘text/html’!or!
‘text/javascript’!are!specified,!then!these!will!be!opened!directly!in!the!browser.!If!instead!a!MIME!type!is!
included!in!this!list,!then!the!file!will!be!downloaded!only!and!will!not!executed!or!launched!by!the!browser.!
NOTE:!A!blank!value!field!will!force!the!user!to!download!all!MIME!types.!)
Property)Name:)glide.ui.attachment.download_mime_types!
Type:)String)
Value:)User1Specified)(Common:!text/html)

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!14!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Release:)Available!in!all!releases!of!Berlin!and!subsequent!major!platform!versions.!

3.3.4 Restrict)Instance)Root)Directory)Uploads)
Description:)When!the!glide.ui.strict_customer_uploaded_static_content_directory!parameter!is!set!to!‘true’,!
the!contents!of!the!glide.ui.strict_customer_uploaded_content_types!(see!3.3.2)!field!will!be!the!only!file!types!
that!can!be!downloaded!from!the!instance!root!directory.!
NOTE:!If!the!glide.ui.strict_customer_uploaded_static_content_directory!is!activated!but!no!values!are!placed!in!
glide.ui.strict_customer_uploaded_static_content!(see!3.3.1),!then!the!default!types!of!ico,gif,png,jpg,jpeg,bmp!
will!be!the!only!downloadable!file!types.!
Property)Name:)glide.ui.strict_customer_uploaded_static_content_directory!
Type:)True!|!False)
Value:)True!
Release:)Available!in!all!releases!of!Berlin!and!subsequent!major!platform!versions.

3.3.5 Limit)Root)Directory)File)Types)(MIME)Types))
Description:)Enables!and!disables!the!ability!to!restrict!the!MIME!types!that!can!be!download!when!stored!in!
the!instance!root!directory.)
Property)Name:)glide.ui.strict_customer_uploaded_static_content!
Type:)String)
Value:)User1Specified)(Common:!text/html)
Release:)Available!in!all!releases!of!Berlin!and!subsequent!major!platform!versions.

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!15!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

3.3.6 Encryption)
ServiceNow!offers!column!level!encryption!to!add!an!additional!layer!of!protection!to!your!data!at!a!granular!
level.!Column!level!encryption!utilizes!AES128,!AES256,!or!3DES!algorithms.!The!encryption!keys!can!be!provided!
by!the!customer!through!the!ServiceNow!application!or!randomly!generated!in!the!application.!Encrypting!
columns!will!exclude!them!from!being!indexed!and!they!will!not!be!included!in!search!results!or!affected!by!
filters.!Only!columns!that!are!added!by!the!customer!can!be!encrypted.!Multiple!encryption!contexts!and!roleR
based!access!can!be!setup!to!provide!the!granularity!of!access!that!may!be!required!for!accessing!sensitive!data.!
Attachments!can!also!be!encrypted!using!an!existing!encryption!context.!Details!can!be!found!on!the!Encryption!
Support!section!of!the!ServiceNow!wiki.!

4 Access)Control)(ACL))
ServiceNow!uses!access!control!list!(ACL)!rules,!also!called!access!control!rules,!to!control!what!data!users!can!
access!and!how!they!can!access!it.!ACL!rules!require!users!to!pass!a!set!of!requirements!in!order!to!gain!access!
to!particular!data.!Each!ACL!rule!specifies:!
• The!object!being!secured!
• The!permissions!required!to!access!the!object!
ServiceNow!searches!for!ACL!rules!that!match!the!object!the!user!wants!to!access.!If!there!are!no!matching!ACL!
rules!for!the!object,!then!the!object!does!not!require!any!additional!security!checks.!By!default,!ServiceNow!
provides!ACL!rules!to!restrict!access!to!all!database!and!personalization!operations.!Information!on!ACLs!is!
available!on!the!Security!section!of!SeviceNow’s!wiki.!!

5 Authentication)and)Password)Rules)
ServiceNow!has!a!number!of!options!for!authentication!to!its!systems.!ServiceNow!provides!a!number!of!Single!
Sign!On!(SSO)!options!that!can!be!review!at!External!Authentication!Single!SignROn!R!SSO.!
SAML!is!the!most!secure!of!these!SSO!options!and!recommended,!as!it!does!not!require!sending!any!customer’s!
passwords!to!ServiceNow.!If!SAML!is!being!used!ServiceNow!recommends!that!customers!apply!complex!
passwords!to!the!user!principles!that!are!required!in!ServiceNow!using!the!script!found!at!External!
Authentication!SSO!R!Restricting!Local!Login.!
These!passwords!are!not!used!to!login!to!the!users,!but!prevent!the!users!from!being!logged!into!locally.!
If!any!external!authentication!is!in!use!customers!can!monitor!the!following!events!for!authentication!events,!
External!Authentication!R!SSO!R!Monitoring!the!Event!Queue!for!Login!Failures.!
If!customers!are!not!making!use!of!external!authentication!the!following!installation!exits!(Section!5.1)!can!be!
used!to!strengthen!the!default!password!rules!and!put!in!place!restriction!to!manage!failed!logins.!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!16!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

5.1 Enforce)Strong)Passwords)
You!can!customize!password!strength!validation!rules!for!the!change!password!screen!by!overriding!the!
Installation!Exit!associated!with!password!validation.!More!information!on!Installation!Exits!are!available!on!the!
ServiceNow!Wiki.!
To#strengthen#password#validation#rules!
1. Navigate!to!System!Definition!>!Installation!Exits.!
2. Locate!ValidatePassword!and!ValidatePasswordStronger.!Both!of!these!are!inactive.!

!
3. Activate!the!ValidatePasswordStronger)!
4. The)ValidatePasswordStronger)script!(below)!is!a!sample!script!that!overrides!the!ValidatePassword!script!
by!using!regular!expressions!to!require!that!passwords!be!a!minimum!of!8!characters!long,!contain!a!numeric!
digit,!and!contain!mixedRcase!letters.!
5. Customize!the!length!and!complexity!values!to!match!your!organizations!security!policy.!

6 Document)Control)Information)
6.1 References)
Document)ID#)(MDoc)or)KB)) Title)
https://wiki.servicenow.com/index.php?title=Security!!! Security!–!ServiceNow!Wiki!

http://wiki.servicenow.com/index.php?title=Uploading_a_Certificate!!! Uploading!a!Certificate!–!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!17!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Document)ID#)(MDoc)or)KB)) Title)
ServiceNow!Wiki!

http://wiki.servicenow.com/index.php?title=Release_Notes!! Release!Notes!–!ServiceNow!Wiki!

IP!Based!Access!Controls!–!
https://wiki.servicenow.com/index.php?title=IP_Range_Based_Authentication!!
ServiceNow!Wiki!

ServiceNow!Acess!Control!–!
http://wiki.servicenow.com/index.php?title=ServiceNow_Access_Control!!
ServiceNow!Wiki!

Security!Jump!Start!–!ACL!Rules!–!
http://wiki.servicenow.com/index.php?title=Security_Jump_Start_R_ACL_Rules!!
ServiceNow!Wiki!

High!Security!Settings!–!
http://wiki.servicenow.com/index.php?title=High_Security_Settings!!
ServiceNow!Wiki!

Contextual!Security!Plugin!–!
http://wiki.servicenow.com/index.php?title=Contextual_Security_Plugin!!
ServiceNow!Wiki!

http://wiki.servicenow.com/index.php?title=Web_Services!! Web!Services!–!ServiceNow!Wiki!

XRFrame!Options!–!Mozilla!
https://developer.mozilla.org/enRUS/docs/Web/HTTP/XRFrameROptions!!
Developer!Network!

Adding!a!Property!–!ServiceNow!
https://wiki.servicenow.com/index.php?title=Adding_a_Property!!
Wiki!

Encryption!Support!R!ServiceNow!
https://wiki.servicenow.com/index.php?title=Encryption_Support!!
Wiki!

http://wiki.servicenow.com/index.php?title=External_Authentication_%28Single_SignR External!Authetication!(Single!SignR
On_R_SSO%29!! on!–!SSO)!–!ServiceNow!Wiki!

External!Authetication!(Single!SignR
http://wiki.servicenow.com/index.php?title=External_Authentication_%28Single_SignR
on!–!SSO)!Restricting!Local!Login!–!
On_R_SSO%29#Restricting_Local_Login!!
ServiceNow!Wiki!

External!Authetication!(Single!SignR
http://wiki.servicenow.com/index.php?title=External_Authentication_%28Single_SignR on!–!SSO)!Monitoring!the!Event!
On_R_SSO%29#Monitoring_the_Event_Queue_for_Login_Failures!! Queue!for!Login!Failures!–!
ServiceNow!Wiki!

http://wiki.servicenow.com/index.php?title=Installation_Exits!! Installation!Exits!–!ServiceNow!Wiki!

6.2 Document)Control)
Role)) Name) Title) Date) Signature)

Author! Clint!Sowada! Senior!Security!Engineer,!Application!Security! (On!file)! (On!file)!

Owner! Josh!Lemos! Senior!Director,!Application!Security! (On!file)! (On!file)!

QC!Reviewer! Hazell!Lopez! Information!Security!and!Compliance!Analyst! (On!file)! (On!file)!

Approver! Justin!Dolly! VP,!Chief!Information!Security!Officer! (On!file)! (On!file)!

Table)4.) Document)Control)

6.3 Revision)History)
Revision)) Date)) Written/Updated)by) Section(s)) Summary)

1.0! March!15,!2014! Josh!Lemos! All! Initial!version!of!document!

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!18!of!19!

 ! ! ServiceNow!Instance!Hardening!Customer!Security!Document!!

Revision)) Date)) Written/Updated)by) Section(s)) Summary)

1.1.1,!1.1.6,!
Remove!reference!to!High!Security!setting!that!is!no!
nd 2.1.1,!2.4.2,!
2.0! June!2 ,!2014! Clint!Sowada! longer!applicable!in!the!Fuji!release.!Changes!in!
3.2.1,!3.2.2,!
recommended!values.!!
5!

Table)5.) Revision)History)
!

END OF DOCUMENT

Managed!Document!#:!11081! ServiceNow)Confidential! Page:!19!of!19!