| Require authorization for SOAP requests |
- New remediation: Ensure the Glide Property glide.basicauth.required.soap exists and is set to the value true. Alternatively, configure the instance for WS Security by setting the
property glide.soap.require_ws_security to true and following the product documentation to configure WS Security Profiles. If the property does not appear in the sys_properties table, add a new
record.
- Old remediation: Ensure the property glide.basicauth.required.soap is set to the value true. Alternatively, configure the instance for WS Security by setting the property
glide.soap.require_ws_security to true and following the product documentation to configure WS Security Profiles.
|
| Enforce OCSP check on network error |
- New remediation: Ensure the property com.glide.communications.httpclient.ocsp_allow_network_error exists and is set to false. If the property does not appear in the sys_properties
table, add a new record.
- Old Remediation: Ensure the property com.glide.communications.httpclient.ocsp_allow_network_error is set to false.
|
| Disable external content URL |
- New remediation: Ensure the Glide Property glide.ui.url.external.content exists and is set to the value false. If the property does not appear in the sys_properties table, add a new
record.
- Old Remediation: Ensure the property glide.ui.url.external.content is set to false.
- New CVSS Score: 7.2
- Old CVSS Score: 8.1
- Rule Script: Script has been updated to improve detection accuracy.
|
| Restrict XML external entities |
- New remediation: Ensure the Glide Property glide.xml.entity.whitelist exists and is set to "http://java.sun.com/j2ee/dtds/" and the Glide Property glide.xml.entity.whitelist.enabled exists and is set to the value true. If the properties do not
appear in the sys_properties table, add new records.
- Old Remediation: Ensure the property glide.xml.entity.whitelist is set to "http://java.sun.com/j2ee/dtds/" and the property glide.xml.entity.whitelist.enabled is set to true.
|
| Disable unauthenticated published reports |
- New remediation: Ensure the Glide Property glide.report.published_reports.enabled exists and is set to the value false. If the property does not appear in the sys_properties table,
add a new record.
- Old Remediation: Ensure the property glide.report.published_reports.enabled is set to false.
|
| Enable password reset policy checks |
- New remediation: Ensure the Glide Property glide.enable.password_policy exists and is set to the value true. If the property does not appear in the sys_properties table, add a new
record.
- Old Remediation: Ensure the property glide.enable.password_policy is set to true.
|
| Minimize Entity Expansion Threshold for GlideXMLUtil Scriptable |
- New remediation: Ensure the property glide.xmlutil.max_entity_expansion is set to 3000 or less. If the instance is on Washington or later, the default implied value is 3000 if the
sys_properties record does not exist. If the instance is not on Washington or later, the recommendaiton is for the instance admin to create a sys_properties record with name
glide.xmlutil.max_entity_expansion and the value 3000.
- Old Remediation: Ensure the property glide.xmlutil.max_entity_expansion is set to 3000 or less.
|
| Disable outbound SSLv2/SSLv3 connections |
- New remediation: Ensure the Glide Property glide.outbound.sslv3.disabled exists and is set to the value true. If the property does not appear in the sys_properties table, add a new
record.
- Old Remediation: Ensure the property glide.outbound.sslv3.disabled is set to true.
Important: The value for the glide.outbound.sslv3.disabled property is a safe override and cannot be altered once changed.
|
| Disable GlideRecord Scope Fencing Legacy Behavior |
- New short description: Disable GlideRecord Scope Fencing Legacy Behavior
- Old short description: Enable GlideRecord Scope Fencing Legacy Behavior
|
| Restrict uploaded MIME types |
- New remediation: Ensure the property glide.security.file.mime_type.validation exists and is set to true. If the property does not appear in the sys_properties table, add a new
record.
- Old remediation: Ensure the property glide.security.file.mime_type.validation is set to true.
|
| Enable Jelly JS interpolation protection for nested expressions |
- New remediation: Ensure the Glide Property glide.ui.jelly.js_interpolation.protect_nested_expressions exists and is set to the value true. If the property does not appear in the
sys_properties table, add a new record.
- Old remediation: Ensure the property glide.ui.jelly.js_interpolation.protect_nested_expressions is set to true.
|
| Enable SSL in LDAP authentication [Updated in Security Center 1.5 and 2.0] |
Rule Script: Script has been updated to improve detection accuracy. |
| Enable UserCookie version 3.1 |
- New description: UserCookie v3 is generated only when property glide.ui.secure.cookies.use_kmf is disabled. UserCookie v3 is not secure due to storing secret key for HMAC in source
code and identical for all customers. That can support malicious actors to use this one secret key for attempts to hijacking user sessions. By setting the property
glide.ui.secure.cookies.use_kmf to true UserCookie v3.1 will be used and secret key will be stored in security storage such as KMF.
- Old description: UserCookie v3 is generated only when property glide.ui.secure.cookies.use_kmf is disabled. UserCookie v3 is not secure due to storing secret key for HMAC in source
code and identical for all customers. That can support malicious actors to use this one secret key for attempts to hijacking user sessions.
- New remediation: Ensure the property glide.ui.secure.cookies.use_kmf exists and is set to true. If the property does not appear in the sys_properties table, add a new record.
- Old remediation: Ensure the property glide.ui.secure.cookies.use_kmf is set to true. Which means UserCookie v3.1 will be used and secret key will be stored in security storage such as
KMF.
|
| Set OTP lifetime for password reset to 1 hour [Updated in Security Center 2.0] |
Rule Script: Script has been updated to improve detection accuracy. |
| Log user impersonation |
- New remediation: Ensure the property glide.sys.log_impersonation exists and is set to true. If the property does not appear in the sys_properties table, add a new record.
- Old remediation: Ensure the property glide.sys.log_impersonation is set to true.
|
| Required JMS connection factories |
Rule Script: Script has been updated to improve detection accuracy. |
| Ensure dashboards creation/deletion requires access check [New in Security Center 1.3 and updated in 2.0] |
- New remediation: Ensure the Glide Property glide.processors.check_access_before_process exists and is set to the value true. If the property does not appear in the sys_properties
table, add a new record.
- Old remediation: Ensure the value of glide.processors.check_access_before_process is always true.
|
| Proactively Invalidate Sessions After Defined Durations |
- New remediation: Ensure the Glide Property glide.active.session.timeout.invalidate.session exists and is set to the value true. If the property does not appear in the sys_properties
table, add a new record.
- Old remediation: Set the Glide Property glide.active.session.timeout.invalidate.session to true.
|
| Enforce Security Scope for Agent Workspace for HR Case Management [New in Security Center 1.5 and updated in 2.0] |
Rule Script: Script has been updated to improve detection accuracy. |
| Enforce security scope license and permit playbook [New in Security Center 1.5 and updated in 2.0] |
Rule Script: Script has been updated to improve detection accuracy. |
| Restrict downloadable MIME types |
- New description: If the property glide.ui.attachment.force_download_all_mime_types is set to true, then the glide.ui.attachment.download_mime_types property will
be overridden so that all MIME types will be downloaded rather than rendered by the browser. For example, downloading text/html forces an HTML file to be downloaded to the client as a file rather than
viewed inline in the browser, preventing a XSS attack. XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be taken.
- Old description: If the property glide.ui.attachment.force_download_all_mime_types is not set to true, then the glide.ui.attachment.download_mime_types property
will be overridden so that all MIME types will be downloaded rather than rendered by the browser. For example, downloading text/html forces an HTML file to be downloaded to the client as a file rather
than viewed inline in the browser, preventing a XSS attack. The ability to have XSS can lead to easily attained privilege escalation to higher roles such as admin where more lateral movement can be
taken.
- New remediation: Ensure the property glide.ui.attachment.force_download_all_mime_types is set to true. If the property does not exist in the sys_properties table, the default value is
false.
- Old remediation: Ensure the property glide.ui.attachment.force_download_all_mime_types is set to true.
- Rule Script: Script has been updated to improve detection accuracy.
|
| Define restricted downloadable MIME types [Updated in Security Center 1.3, 1.5, and 2.0] |
Rule Script: Script has been updated to improve detection accuracy. |
| Disallow infected file download |
- New description: When the property com.glide.snap.infected_download_allowed is set to true, users can still download non-scanned attachments in the case that the antivirus service is
down or unreachable. This means it is possible that a user downloads a malicious file and risks infecting the user's desktop (in the case there is no other endpoint protection on the device).
- Old description: If com.glide.snap.infected_download_allowed is not set to the recommended value of False, then it is possible to download a malicious file that has not been scanned
leading to a risk of infecting the user's desktop.
- New remediation: Ensure the property com.glide.snap.infected_download_allowed is set to false.
- Old remediation: Ensure the property com.glide.snap.infected_download_allowed is set to False.
|
| Restrict access to GlideSystemUserSession scriptable API |
- New description: gs.addErrorMessageNoSanitizationMessaging() and gs.addInfoMessageNoSanitization() are used within the scripting environment for logging and
notifications. Both of these are available in the sandbox if this property is not set to the recommended value of false. The sandbox is a low privileged scripting environment available to unauthenticated
and no role users. Both of these methods can be used to display unsanitized input to a user. Displaying unsanitized input to the user is dangerous, as unsanitized input may contain dangerous code that
runs in the user's browser. This can be utilized for traditional reflected XSS attacks. Reflected XSS attacks can be used in multiple scenarios, including session hijacking.
- Old description: Messaging within the glide scripting sandbox is used for logging purposes. Calling this unsanitized error function exposes the platform to reflected XSS attacks. XSS attacks can allow for
easy privilege escalation by stealing someone's session cookies. If glide.sandbox.usersession.allow_unsanitized_messages is not set to the recommended value of false, then the
unsanitized error messaging functions addErrorMessageNoSanitization and addInfoMessageNoSanitization are available to script.
|
| Enable work order management query rules for service organizations |
- New description: When set to true, rules/filters from sn_query_rule table will be used to determine read access to Field Service Management-related tables (Work Order and Work Order Task) to the logged in
user through query business rules and read ACLs. When false, the records won't be filtered based on query rules. Query business rules add additional security validations. Specifically, this property will
filter records for agents, qualifiers, and dispatchers based on their assigned territory or territory membership. It is best practice to follow the principle of least privilege when reading records. When
this property is not set to true, there may be increased risk of data exposure from Field Service Management tables.
- Old description: When set to true, rules/filters from sn_query_rule table will be used to determine read access to Field Service Management-related tables (Work Order and Work Order Task) to the logged in
user through query business rules and read ACLs. When false, the records won't be filtered based on query rules. Query business rules add additional security validations. Specifically, this property will
filter records for agents, qualifiers, and dispatchers based on their assigned territory or territory membership. It is best practice to follow the principle of least privilege when reading records.
|
| Restrict email domains for external user registration [Updated in Security Center 1.3, 1.5, and 2.0] |
- New description: The sn_ext_usr_reg.allowed_email_domains property defines which email addresses are allowed to self-register to a ServiceNow instance. The format should be a comma
separated list of acceptable email domains such as domain1.com,domain2.com where emails such as example@domain2.com will be accepted. If sn_ext_usr_reg.allowed_email_domains is not
set with a list of acceptable domains, then users with any email address are allowed to register accounts on the instances. If not defined, malicious actors could perform registration using emails
addresses from unwanted domains to gain authenticated access to the instance.
- Old description: The sn_ext_usr_reg.allowed_email_domains property defines which email addresses are allowed to self-register to a ServiceNow instance. If
sn_ext_usr_reg.allowed_email_domains is not set with a list of acceptable domains, then users with any email address are allowed to register accounts on the instances. If not
defined, malicious actors could perform registration using emails addresses from unwanted domains to gain authenticated access to the instance.
|
| Apply domain separation on dot walked fields |
- New description: This property controls whether join queries are given domain separated conditions or not, in order to ensure they apply domain separation functionality for dot walked fields. If
glide.sys.domain.include_domain_condition_on_join is not set to the recommended value of true on an instance using domain separation, then sensitive information could be disclosed
that is not to be shared with a specific domain. There may be moderate functional impact to the instance if components are reliant on the unsafe cross domain queries. Instances should be tested in
subproduction environments before enabling.
- Old description: This property controls whether join queries are given domain separated conditions or not, in order to ensure they apply domain separation functionality for dot walked fields. If
glide.sys.domain.include_domain_condition_on_join is not set to the recommended value of true on an instance using domain separation, then sensitive information could be disclosed
that is not to be shared with a specific domain.
|
| Enforce URL allowlist check |
- New remediation: Ensure the property glide.security.url.whitelist.strict_check is set to true or the property glide.security.url.whitelist is set to a value.
- Old remediation: Ensure the property glide.security.url.whitelist.strict_check is set to "true" and the property glide.security.url.whitelist is set to a
value.
|
| Set guest user for soap requests |
Rule Script: Script has been updated to improve detection accuracy. |
| Restrict access to background script |
- New description: This property holds the required role to access Script Background module. If glide.script_processor.admin is not set to the recommended and default value of admin,
then users having a lower privileged role will be able to run background scripts on the instance. This will lead to a complete bypass of the ACL system allowing full access to tables.
- Old description: This property holds the required role to access Script Background module. If glide.script_processor.admin is not set to the recommended value of admin,
security_admin, or maint, then users having a lower privileged role will be able to run background scripts on the instance. This will lead to a complete bypass of the ACL system allowing full access to
tables.
- New remediation: Ensure the property glide.script_processor.admin is set to the admin. This is the default value on instances.
- Old remediation: Ensure the property glide.script_processor.admin is set to the admin, security_admin, or maint role.
|
| Verify certificate chain and hostname |
- New description: When the Glide Property com.glide.communications.httpclient.verify_hostname is not set to the secure value of true, the hostname and certificate chain presented by
remote hosts during a TLS connection initiated from the ServiceNow instance are not validated. This could compromise the security of the TLS connection and allow person-in-the-middle attacks, where
communications between two parties are intercepted. This may lead to sensitive data disclosure.
- Old description: If com.glide.communications.httpclient.verify_hostname is not set to true this could allow person-in-the-middle attacks where communications between two parties are
intercepted. Setting this property to an insecure value disables the certificate verification process which evaluates all certifications in the certificate chain through checking revocation status. Set
this property to true to prevent the http client from connecting to a potentially harmful hostname.
|
| Control Lockout Time for Invalid Password Reset Attempts |
- New short description: Control Lockout Time for Invalid Password Reset Attempts
- Old short description: Minimize Reset Password Request Max Attempts Window Duration
- New description: The password_reset.request.max_attempt_window property defines the number of minutes a user must wait to reset or change their password after exceeding the maximum
number of unsuccessful attempts that is set with the password_reset.request.max_attempt property. A small number of minutes for the
password_reset.request.max_attempt_window property increases the risk of successfully brute forcing a password as a greater number of password reset attempts can be made. The
default of 1440 minutes is recommended.
- Old description: If password_reset.request.max_attempt_window is not set to the recommended value of 1440 or less, then it could be possible to perform account bruteforce as the
account will not be locked after a maximum number of wrong authentication attempts.
- New remediation: Ensure the property password_reset.request.max_attempt_window is set to 1440 or greater.
- Old remediation: Ensure the property password_reset.request.max_attempt_window is set to 1440 or less.
- Rule Script: Script has been updated to improve detection accuracy.
|
| Disable GlideRecord Scope Fencing Legacy Behavior |
- New short description: Disable GlideRecord Scope Fencing Legacy Behavior
- Old short description: Enable GlideRecord Scope Fencing Legacy Behavior
- New remediation: Set the Glide Property glide.record.legacy_cross_scope_access_policy_in_script to false. When not present in the sys_properties table, the default value is true.
- Old remediation: Set the Glide Property glide.record.legacy_cross_scope_access_policy_in_script to false.
|
| Limit Invalid Password Reset Attempts |
- New short description: Limit Invalid Password Reset Attempts
- Old short description: Minimize Reset Password Request Max Attempt Allowance
|