Strict IP restriction - glide.ip.authenticate.strict

davidmcdonald · ‎11-06-2019

I wanted to learn more about the "Strict IP Restriction" functionality before activating it.

From what I understand, the feature restricts the IP addresses that ServiceNow support staff are able to access the instance from, restricting it down to "secure IP addresses", such as within a data centre or through a ServiceNow VPN.

What IP ranges does it restrict them down to when it is activated?

Are there any dangers to be aware of when it comes to activating this feature? ServiceNow Support typically wouldn't be trying to access an instance from outside of their secure networks, would they?

ServiceNow hardening guide: https://hi.service-now.com/kb_view.do?sysparm_article=KB0550654#3.12

Old blog article with more information: https://blog.cbc-faruhn.com/servicenow-platform-security-analysis/

Instance security centre configuration entry: https://yourinstancename.service-now.com/nav_to.do?uri=appsec_hardening_configurations.do?sys_id=aa153f6664330300964f17e1be5b7ad0

palsharodindu · ‎01-10-2020

If we set this property value as "true", do we need to add the list of IP ranges from where our instances can be accessed (System Security > IP Address Access Control)? if No, then how the instance will identify the white-listed IP ranges?

davidmcdonald · ‎01-10-2020

From what I've been able to understand, no you don't need to add the IP Ranges for ServiceNow (the coompany) into your ServiceNow instance. It seems to filter based on its own functionality.

I've been able to find that what this feature actually does is it prevents users from ServiceNow (the company) from accessing your instance from unless they are connecting via either:

The internal network of the data centre that your instance lives in.
A secure VPN connection into your instance's network.

HI have said that it's very rare these days for ServiceNow employees to access a customer's instance in a non-secure fashion, and they said that it should be safe to enable this feature.