If the glide.stax.whitelist_enabled system property does not exist in the System Properties [sys_properties] table, or it is not set to the recommended value of true, then all external entities are allowed when the glide.stax.allow_entity_resolution system property is set to the value of true. If customizations do not require entity expansion, use the glide.stax.allow_entity_resolution system property to disable external entity expansion. The XML completes parsing but doesn't include any internal or external entities.

• If you set glide.stax.allow_entity_resolution to true, all external entities attempt to resolve or expand subject entities, subject to the setting of the glide.stax.whitelist_enabled property.
• If you set glide.stax.allow_entity_resolution to false, all entity resolution and expansion is blocked. To learn more about this property, see Disable Entity Expansion within the XMLDocument2 Streaming Parser [Updated in Security Center 1.5].

When glide.stax.whitelist_enabled is set to true, define a listing of comma-delimited FQDN in the glide.xml.entity.whitelist property, which are the only URLs that can be reached using the XML entity processing property. To learn more, see Restrict XML external entities [Updated in Security Center 1.3 and 2.0]. Attackers can use this vulnerability to expand data exponentially in an External Entities Expansion (XXE) attack, quickly consuming all system resources.

Protect against XXE attacks by using an allow list to prevent attackers from including arbitrary HTTP requests that the server may execute. This could lead to additional attacks using the server's trust relationship with other entities.

Add http://java.sun.com/j2ee/dtds/ to the value of the glide.xml.entity.whitelist system property, then set the glide.xml.entity.whitelist.enabled system property to true.

Values other than http://java.sun.com/j2ee/dtds/ can be included in the in the glide.xml.entity.whitelist property, but are unnecessary for the out of the box platform state. Review any additional values to determine if they are safe.

Ensure that MIME-types are validated for attachments to prevent dangerous files from being uploaded on your instance using wrong file extensions.

Set the glide.attachment.enforce_security_validation system property to true. When set to true, files are uploaded with the correct file type extension.

It is a security best practice to validate file uploads at least with MIME type validation.

Description (New) Prevent unnecessary exposure of instance access to wider group of people using the glide.ip.authenticate.strict and glide.ip.authenticate.allow.secured system properties.

When the glide.ip.authenticate.strict system property is set to true, internal ServiceNow personnel and systems can only make inbound connections to your instance from essential IP ranges. This limits ServiceNow's visibility to essential internal infrastructure on your instance, and prevents access by broader ServiceNow personnel such as support and sales staff via corporate networks. The glide.ip.authenticate.allow.secured system property grants internal ServiceNow inbound connections, including regular authenticated access and unauthenticated diagnostic pages.

If not set to true, then a broader ServiceNow internal IP range defined in the glide.ip.authenticate.allow property is used to grant these internal ServiceNow inbound connections.

Ensure the glide.ip.authenticate.allow.secured system property contains only trusted values and that the property glide.ip.authenticate.strict is set to true.

Description (Old): If "glide.ip.authenticate.strict" is set to "true", then internal ServiceNow personelle and systems can only make inbound connections to the instance from essential IP ranges. This limit's ServiceNow's visibility into the instance to essential internal infrastructure, and prevents access by broader ServiceNow personelle such as support and sales staff via corporate networks.

When set to "true", the "glide.ip.authenticate.allow" property is used to grant internal ServiceNow inbound connections. If not set to "true", then a broader ServiceNow internal IP range as defined in "glide.ip.authenticate.allow" is used to grant internal ServiceNow inbound connections.

Disable entity expansion on your instance to secure your instance from attacks such as ability to read system files, and Denial of Service. Use the system property to disallow XML entities to be expanded during parsing by the streaming parser (XMLDocument2).

Set the glide.stax.allow_entity_resolution system property to false to disable entity expansion on your instance. If this property does not appear in the System Properties [sys_properties] table, the default value is true. Create the property record and set the value to false to change it's value.

Prevent your instance's legacy security manager from allowing access to resources when there are no ACLs defined for that resource, or if there are only wildcard table-level ACLs (for example, incident.*). When allowed access by default, anything that does not have explicit ACLs set is susceptible to manipulation.

Set the glide.sm.default_mode system property value to deny to disallow access when there are no define ACL rules, or there are only wildcard table-level ACLs.

Secure the images on your instance to prevent sensitive information leak. Images on your instance are accessible via urls that end in .iix.

Set the glide.image_provider.security_enabled system property to true to prevent access to your images via these URLs.

Disable support for displaying HTML code embedded using the [code] tag. This tag allows rendered HTML to display in journal fields and may lead to cross-site scripting (XSS) attacks. These attacks can enable foreign scripts to execute on a user session in the logged in browser's context. Attackers can use these scripts to steal session information and sensitive data. The HTML language was not designed to separate script from formatting, so allowing user-controlled HTML in any system has inherent risk.

Setting the glide.ui.security.codetag.allow_script to false is compliant, and significantly reduces this risk, however some small risk remains. It disables only the script portion of a code tag, and relies on sanitizing all known conventions of script in the HTML.

Set the glide.ui.security.allow_codetag system property to false to completely prohibit journal fields and forms from displaying rendered HTML.

Prevent potentially malicious formulas in programs such as Excel from being executed after exporting and opening the file by escaping formulas in these files. Excel injection occurs when websites embed untrusted entries inside Excel files. When you use a spreadsheet application such as Microsoft Excel, or LibreOffice Call, to open a file, any cells starting with +, -, =, or @ are interpreted as a formula unless properly escaped. Malicious formulas pose a risk even when the spreadsheet doesn't contain any sensitive information, as they can be used to compromise the viewer's computer through code execution.

Set the glide.export.escape_formulas system property to true to escape these formulas from executing.

Increase security on your instance by ensuring that only trusted URLs for the AngularJS $http service can allow/reject JSONP requests. JSONP requests are allowed to any URL if these properties are not configured and enabled.

Use the value of the angular.jsonp.inclusion_list.urls system property to define a list of URLs that are trusted and allow for this purpose. Set the value of the angular.jsonp.inclusion_list.enabled system property to true to limit allowed JSONP to only the URLs listed in angular.jsonp.inclusion_list.urls.

Prevent ServiceNow Customer Service and Support personnel from accessing the instances without your express permission by enabling the SNC Access Control (com.snc.snc_access_control) plugin. Although all access to your instance is audited, you may prefer to control this access. This access method is fully auditable and tracked.

Enable the SNC Access Control (com.snc.snc_access_control) plugin to restrict access to your instance without your express permission. For more details on this feature, see ServiceNow access control. For activation information, see Activate ServiceNow access control

Help secure your instance against brute force attacks by defining a time period during which a user cannot attempt to log in after being locked out. The glide.user.unlock_timeout_in_mins system property unlocks the user account after the time period that is specified in it's value. If no value is specified, your instance unlocks the user account after the default period of 15 minutes.

Set the glide.user.unlock_timeout_in_mins system property value to a minimum of 15. If glide.user.unlock_timeout_in_mins does not exist, the default lockout time is set to 15 minutes.

Ensure that the SNC User Lockout Check with Auto Unlock script action (found on the Script Action [sysevent_script_action] table) is present and active. The SNC User Lockout Check with Auto Unlock script action is installed with the High Security Settings (com.glide.high_security) plugin.

If the Multi SSO plugin is enabled on an instance, reduce security vulnerabilities by confirming that the v2 version is enabled. The latest version enhances security and has more features, such as Assertion encryption support, and IDP-initiated Single Logout (SLO). If the latest version is not enabled, the new security features cannot be used and the instance is at risk of using an plugin which is deprecated.

Follow the steps in KB0756504 to upgrade to the latest version. This process includes checking for and migrating any customization-related changes, then upgrading the version. When complete, the glide.authenticate.multissov2_feature.enabled system property is automatically set true.

Prevent OutOfMemoryExceptions that can result from a request response body being too large using the glide.http.response.get_body.limit.enabled and glide.http.response.get_body.limit system properties. These exceptions can cause denial of service (DOS) attacks as well as other issues that may aid attackers in compromising an instance. Not setting these properties to the recommended values could make your instance vulnerable to OutOfMemoryExceptions and denial of service attacks.