In the age of automation and productivity, we often overlook the security impact of automation (of everything). Since the release of Aspen, ServiceNow introduced inbound email actions, allowing ServiceNow users to initiate workflows or interact with service management functions via email. While these are perfectly safe to use, it is critical your instance is set up properly. As with all security relevant settings, misconfigured email actions can be abused by attackers. For example, it can be used to send malicious attachments or phishing emails to your ServiceNow instance. We are going to take a look at what inbound email actions are and how you can use them safely and securely to ensure you are using your ServiceNow instance that enables the business while keeping your data and users secure.
Inbound email actions enable users to automatically create or update records when an email is sent to your ServiceNow instance. Inbound email actions are similar to business rules, using both conditions and scripts. ServiceNow leverages watermarking ids inside the email body (or subject) in order to associate it to a task such as an incident or problem. For detailed examples of email actions that interact with incidents, problems, and change requests, see Examples of Inbound Email Actions.
You can edit your inbound email action to add, disable, or modify them as necessary.
- Navigate to System Policy > Email > Inbound Actions
- Note: Must be an Administrator to edit these. We recommend that any role given this permission should proceed with caution.
- Click on any of the existing records, or click New to create a new action.
Inbound Email Actions are enabled by default and you should deactivate the ones that are not necessary to your business processes. The default actions should be modified using the condition builder to properly suit your companies workflows.
Once you have established a good basis for which email actions communicate with your instance, there are a few ways we can go about securing inbound email actions to keep your data safe.
How to protect your data (and secure Inbound Email Actions)
-
Enable automatic user creation with a list of trusted specified domains
-
Navigate to User Administration > Users
-
Select the user Guest
-
Select the Locked out field to disable the guest account
-
Note: Locking out a user record prevents ServiceNow from processing inbound actions.
-
-
-
Audit your instances default Inbound Email Actions
-
Edit any default actions to suit your needs specifically
-
Disable any actions that are not in use
-
-
Verify only necessary users have permission to modify Inbound Actions
-
Accomplish this by auditing user Roles with an admin account
-
To further protect your data when working with inbound email actions, review the Security Instance Hardening guide and apply these practices to your instance; as well as, implement the Security Best Practice Audit App and review your instance security standing.
Automating everything may sound like fun at first. I mean, after all, it was the theme to our Knowledge conference a while ago (Automate or Die!). But it doesn't come without a word of caution. Automate what can be automated, but keep a tight-reign on areas that it is better to be safe than sorry. Now that you have secured your data, protected your company, and automated your instance even further, remember to follow the Security blog posts as we continue to provide tips and recommendations for your ServiceNow instances with regard to securing your data.
Resources:
High Security Settings Plugin Doc
