New hardening settings for baseline version 2.0
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of New Hardening Settings for Baseline Version 2.0
The New Hardening Settings for Security Center version 2.0 provide essential updates aimed at enhancing the security posture of ServiceNow environments. These settings were released as part of the Washingtondc version on February 1, 2024.
Show less
Key Features
- Ensure Archive Table ACLs Are Checked: Validates access controls on archive tables.
- Enforce Application Scope Restrictions: Maintains application integrity by restricting scope (removed in 1.5).
- Enable Hardened Java Security Manager: Enhances security for Java applications.
- Verify Certificate Revocation: Ensures certificates are valid and not revoked.
- Enable Protected Tables Plugin: Secures sensitive data through table protection.
- Limit Integrations' Active Session Lifespan: Reduces risk by limiting session duration.
- Enable MID Audit Log: Tracks actions in the MID server for accountability.
- Enforce Credential Alias Usage: Standardizes credential management for security.
- Require Captcha for Guest Walk-Up Experience: Enhances security for guest interactions.
- Enforce Device Encryption and Passcode Requirements: Secures mobile access.
Key Outcomes
Implementing these hardening settings will significantly improve the security of ServiceNow environments by enhancing access controls, session management, and data protection. Customers can expect a more secure platform that reduces vulnerabilities and ensures compliance with best practices in security management.
Here's a list of all the new hardening settings released with the Security Center version 2.0 baseline.
- Ensure archive table ACLs are checked [New in Security Center 1.3 and updated in 1.5]
- Enforce application scope restrictions [New in Security Center 1.3 and removed in 1.5]
- Enable the hardened java security manager [New in Security Center 1.3]
- Verify certificate revocation [New in Security Center 1.3]
- Require clearing pasteboard when backgrounding mobile application [New in Security Center 1.3 and updated in 1.5]
- Enable protected tables plugin [New in Security Center 1.3]
- Enforce strict elevate privilege [New in Security Center 1.3]
- Limit integrations' active session life span [New in Security Center 1.3]
- Proactively invalidate inactive sessions [New in Security Center 1.3 and updated in 1.5]
- Enable MID audit log [New in Security Center 1.3 and updated in 1.5]
- Use of secure insert multiple operation within import set API [New in Security Center 1.3]
- Enforce OCSP check on network error [New in Security Center 1.3]
- Enforce security rules to sharing dashboards [New in Security Center 1.3]
- Restrict oauth parameters to POST body [New in Security Center 1.3]
- Limit attachment size in training and prediction flows for GraphQL endpoints [New in Security Center 1.3 and updated in 1.5]
- Enable GlideRecord Scope Fencing Legacy Behavior [New in Security Center 1.3 and updated in 1.5]
- Enforce credential alias usage [New in Security Center 1.3 and updated in 1.5]
- Required jms connection factories [New in Security Center 1.3 and updated in 1.5]
- Limit attachment size in training and prediction flows [New in Security Center 1.3 and updated in 1.5]
- Log session audit events [New in Security Center 1.3 and updated in 1.5]
- Require write access to access service catalog add item page [New in Security Center 1.3]
- Define active session timeout exception roles [New in Security Center 1.3]
- Certificate based authentication not enforced [New in Security Center 1.3]
- Enforce scoped ACL access for information request playbooks [New in Security Center 1.3 and updated in 1.5]
- Hide user comments on articles [New in Security Center 1.3]
- Ensure dashboards creation/deletion requires access check [New in Security Center 1.3]
- Enforce device encryption and passcode requirements [New in Security Center 1.3]
- Validate file mime type in AttachmentCreator soap web service [New in Security Center 1.3 and updated in 1.5]
- Verify certificate revocation [New in Security Center 1.3]
- Check impersonation on ACL evaluation in HR App [New in Security Center 1.3 and updated in 1.5]
- Require captcha for guest walk-up experience in customer service application [New in Security Center 1.3 and updated in 1.5]
- Require Authentication on Event Management HTTP Processor [New in Security Center 1.3 and updated in 1.5]
- Limit guest's active session life span [New in Security Center 1.3]
- Disallow target cloning [New in Security Center 1.3]
- Set safe content security policy for svg files [New in Security Center 1.3]
- Anti-CSRF token validation time [New in Security Center 1.3]
- Restrict knowledge bases access [New in Security Center 1.3]
- Enforce scope security for public sector digital services [New in Security Center 1.3]
- Restrict HR case updates from personal emails [New in Security Center 1.3 and updated in 1.5]
- Limit UI active session life span [New in Security Center 1.3]
- Enforce secure referrer policy [New in Security Center 1.3]