In this article, we will explore the Best Practice component of Security Center, a crucial tool within ServiceNow designed to enhance the security of your instance. The Best Practice component of ServiceNow aims to provide several security suggestions to improve the overall security posture of your instance. Each suggestion includes step-by-step instructions needed to implement it in your environment.
Looking at the 'Manage your Best Practices' page below, we see that the suggestions are structured around maturity levels, and the dashboard provides an easy way to track progress. This view is from an instance where the Best Practices component has not yet been used.
Notice that the number of Best Practices completed so far is 0 and the recommended next step is to commence the 'Build a foundation' maturity level.
The list of security suggestions for the "Build a foundation" level are;
- Change the default login credentials
- Configure web browsers to use only TLS 1.2 or higher when connecting to your instance
- Configure your email systems to accept mail from your instance by using SPF
- Enable table auditing for important or sensitive data
- Enforce the use of strong passphrases
- Ensure automatic account creation
- Ensure that the High Security plugin is installed and activated
- Install patches as soon as possible
- Integrate with MFA
- Limit accepted email sender domains
- Monitor important logs to help identify any suspicious or malicious activity
- Monitor your instance’s Hardening Compliance level
- Remove the ‘Remember Me’ checkbox
- Restrict access to your instance from unknown IP addresses
- Use SAML authentication
- Use the email filters feature set to deal with suspect inbound messages
This list provides a great starting point for improving the security posture of your instance and in most cases, provides great guidance on the steps necessary to complete the required configuration. As you go through each item however, ensure you review it in context of your environment and in consultation with your Cyber team.
For example, the item 'Ensure automatic account creation' suggests enabling the creation of new user accounts when emails are received from unknown email addresses. In most environments, you will most likely already be using a directory service to automatically provision new user accounts into your ServiceNow environment. If this is the case, I strongly recommend that Automation Account Creation from inbound emails remain disabled. The Best Practice guidance does not clearly address this nuance. It does however provide a way to record any decisions within the tool; by adding a comment to the Best Practice item.
I recommend reviewing the following items from the 'Build your foundation' list with your Technical Governance and Cyber teams before moving forward:
- Ensure automatic account creation - Leave this disabled if you are already using a directory service to provision user accounts.
- Integrate with MFA - Review this in terms of your enterprise strategy for MFA. I typically see MFA implemented on the organization's SSO/Identity tool rather than directly on ServiceNow. Make sure you also consider how any local accounts such as the Break glass Admin account or service accounts might be impacted.
- Restrict access to your instance from unknown IP Addresses - Ensure you consider the impact that this might have on mobile devices and integrations. Also consider if this control should be implemented through Adaptive Authentication as opposed to the IP Range Based Authentication plugin.
Ongoing Maintenance
In order to keep up to date with the Security Best Practice suggestions from ServiceNow, I recommend that you check for new updates to the Security Center application on a monthly basis. Each new release of the application is likely to include more best practice recommendations that can be reviewed an actioned as needed. This is one area where I hope ServiceNow continues to invest, making it easier for administrators to understand some of the most common practices around security in the ServiceNow space.
In summary, the Best Practice component of Security Center provides a structured method to bolster your ServiceNow instance's security. By implementing the recommended steps and keeping up with regular updates, you can greatly enhance your security posture. Integrating insights from the other Security Center components into your strategy is essential. Remember, cybersecurity is a continuous journey—staying informed and proactive is vital. For further insights, explore the related articles listed below.
Further Reading
I've covered other aspects of Security Center in previous articles as listed below.
5 Comments
