- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 11-20-2023 06:13 AM
Enhancing Security in ServiceNow: A Comprehensive Guide
-
Introduction
In It world, security is paramount. ServiceNow, as a leading platform in this domain, is committed to ensuring the highest security standards. This article aims to shed light on the recent security updates related to system properties, detailing their importance and the necessary actions for customers.
-
Understanding the Importance of System Property Security
-
What are System Properties?
System properties in ServiceNow are key-value pairs that control various functionalities of the platform. They can influence everything from user interface settings to security protocols. These properties act as the backbone of the platform's configuration, making their security a top priority.
-
The Need for Secure Settings
The security of system properties is not just a technical necessity but a critical aspect of safeguarding sensitive data and operations. Insecure settings can lead to vulnerabilities, exposing the system to unauthorized access and potential data breaches. Ensuring these properties are securely configured is essential in maintaining the integrity and reliability of the ServiceNow platform.
-
-
Detailed Overview of Properties Requiring Secure Settings
- ServiceNow has identified several properties that require secure settings to enhance the platform's security. These include:
|
Property Name |
Secure Value |
Description |
|
glide.basicauth.required.schema glide.basicauth.required.soap glide.basicauth.required.wsdl glide.basicauth.required.rss glide.basicauth.required.scriptedprocessor glide.basicauth.required.api glide.basicauth.required.jsonv2 glide.basicauth.required.unl glide.basicauth.required.xml glide.basicauth.required.importprocessor glide.basicauth.required.xmloutputprocessor glide.basicauth.required.csv glide.basicauth.required.excel glide.basicauth.required.pdf glide.basicauth.required.xsd |
true |
The set of glide.basicauth.required.* properties impact authentication. If a property is not set to "true", the respective mechanism, such as SOAP or WSDL, does not require authentication on all inbound connections. This can lead to unauthenticated access to sensitive content/data on the platform. |
|
glide.security.strict.updates |
true |
When set to "true", this property adds a layer of verification by verifying a given user has the appropriate ACL to update the form on form submission or field update. |
|
glide.security.sandbox_no_unsafe_methods |
true |
When set to "true", this property prevents dangerous methods from being run in the javascript sandbox on a Now instance. An insecure setting for this property could allow users to run commands beyond the intended instance scope. NOTE: If this property is not visible, it is in a secure state by default and no update is needed. |
|
glide.ui.escape_text |
true |
The property glide.ui.escape_text, when set to "true", escapes XML values at the parser level for the user interface. A secure setting prevents reflected and stored cross-site scripting attacks. If "glide.ui.escape_text" is not set to the recommended value of "true", then XML values will not be escaped at the parser level for the user interface; this will leave jelly templates susceptible to reflected and stored cross-site scripting (XSS) attacks. |
|
glide.ui.security.codetag.allow_script |
false |
If "glide.ui.security.codetag.allow_script" is not set to the recommended value of "false", then rendered HTML is allowed in journal fields and forms. This can lead to cross-site scripting (XSS) attacks when malicious HTML is inserted between code tags |
Each of these properties plays a crucial role in fortifying the platform against various security threats.
4. Actions Required by Customer
Securing Your System Properties
Customers are required to review and update their system properties to the recommended secure settings. This involves:
- Identifying properties with insecure settings.
- Updating these properties to their secure values.
- Testing the changes in a sub-production environment before applying them to the production environment.
Testing in Sub-Prod Instances
Testing in sub-prod instances is critical. It allows customers to ensure that the security enhancements do not disrupt normal operations. This step-by-step approach minimizes the risk of unintended consequences when the changes are pushed to the production environment.
Reference KB Article : Link
- 1,015 Views
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Nice job, @Amit Gujarathi !
