| Require authorization for SOAP requests [Updated in Security Center 1.3, 1.5, and 2.0] |
- New remediation: Ensure the Glide Property
glide.basicauth.required.soap exists
and is set to the value true. Alternatively, configure the
instance for WS Security by setting the property
glide.soap.require_ws_security to true and following the product
documentation to configure WS Security Profiles. If the property
does not appear in the sys_properties table, add a new
record.
- Old remediation: Ensure the property
glide.basicauth.required.soap is set to
the value true. Alternatively, configure the instance for WS
Security by setting the property
glide.soap.require_ws_security to true
and following the product documentation to configure WS Security
Profiles.
|
| Enforce OCSP check on network error [New in Security Center 1.3 and updated in 2.0] |
- New remediation: Ensure the property
com.glide.communications.httpclient.ocsp_allow_network_error
exists and is set to false. If the property does not appear in
the sys_properties table, add a new record.
- Old Remediation: Ensure the property
com.glide.communications.httpclient.ocsp_allow_network_error
is set to false.
|
| Disable external content url [Updated in Security Center 2.0] |
- New remediation: Ensure the Glide Property
glide.ui.url.external.content exists
and is set to the value false. If the property does not appear
in the sys_properties table, add a new record.
- Old Remediation: Ensure the property
glide.ui.url.external.content is set to
false.
- New CVSS Score: 7.2
- Old CVSS Score: 8.1
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Restrict XML external entities [Updated in Security Center 1.3 and 2.0] |
- New remediation: Ensure the Glide Property
glide.xml.entity.whitelist exists and
is set to "http://java.sun.com/j2ee/dtds/" and the Glide
Property glide.xml.entity.whitelist.enabled
exists and is set to the value true. If the properties do not
appear in the sys_properties table, add new records.
- Old Remediation: Ensure the property
glide.xml.entity.whitelist is set to
"http://java.sun.com/j2ee/dtds/" and
the property
glide.xml.entity.whitelist.enabled is
set to true.
|
| Disable unauthenticated published reports [Updated in Security Center 2.0] |
- New remediation: Ensure the Glide Property
glide.report.published_reports.enabled
exists and is set to the value false. If the property does not
appear in the sys_properties table, add a new record.
- Old Remediation: Ensure the property
glide.report.published_reports.enabled
is set to false.
|
| Enable password reset policy checks [Updated in Security Center 2.0] |
- New remediation: Ensure the Glide Property
glide.enable.password_policy exists and
is set to the value true. If the property does not appear in the
sys_properties table, add a new record.
- Old Remediation: Ensure the property
glide.enable.password_policy is set to
true.
|
| Minimize Entity Expansion Threshold for GlideXMLUtil Scriptable [Updated in Security Center 1.3, 1.5, and 2.0] |
- New remediation: Ensure the property
glide.xmlutil.max_entity_expansion is
set to 3000 or less. If the instance is on Washington or later,
the default implied value is 3000 if the sys_properties record
does not exist. If the instance is not on Washington or later,
the recommendaiton is for the instance admin to create a
sys_properties record with name
glide.xmlutil.max_entity_expansion and the value
3000.
- Old Remediation: Ensure the property
glide.xmlutil.max_entity_expansion is
set to 3000 or less.
|
| Disable outbound SSLv2/SSLv3 connections [Updated in Security Center 1.3 and 2.0] |
- New remediation: Ensure the Glide Property
glide.outbound.sslv3.disabled exists
and is set to the value true. If the property does not appear in
the sys_properties table, add a new record.
- Old Remediation: Ensure the property
glide.outbound.sslv3.disabled is set to
true.
Important: The value for the glide.outbound.sslv3.disabled property is a safe override and cannot be altered once changed.
|
| Disable GlideRecord Scope Fencing Legacy Behavior [New in Security Center 1.3 and updated in 1.5 and 2.0] |
- New short description: Disable GlideRecord Scope Fencing Legacy
Behavior
- Old short description: Enable GlideRecord Scope Fencing Legacy
Behavior
|
| Restrict uploaded MIME types [Updated in Security Center 1.3 and 2.0] |
- New remediation: Ensure the property
glide.security.file.mime_type.validation
exists and is set to true. If the property does not appear in
the sys_properties table, add a new record.
- Old remediation: Ensure the property
glide.security.file.mime_type.validation
is set to true.
|
| Enable Jelly JS interpolation protection for nested expressions [Updated in Security Center 2.0] |
- New remediation: Ensure the Glide Property
glide.ui.jelly.js_interpolation.protect_nested_expressions
exists and is set to the value true. If the property does not
appear in the sys_properties table, add a new record.
- Old remediation: Ensure the property
glide.ui.jelly.js_interpolation.protect_nested_expressions
is set to true.
|
| Enable SSL in LDAP authentication [Updated in Security Center 1.5 and 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Enable UserCookie version 3.1 [Updated in Security Center 2.0] |
- New description: UserCookie v3 is generated only when
property glide.ui.secure.cookies.use_kmf is
disabled. UserCookie v3 is not secure due to
storing secret key for HMAC in source code and identical for all
customers. That can support malicious actors to use this one
secret key for attempts to hijacking user sessions. By setting
the property
glide.ui.secure.cookies.use_kmf to true
UserCookie v3.1 will be used and secret key will be stored in
security storage such as KMF.
- Old description: UserCookie v3 is generated only when property
glide.ui.secure.cookies.use_kmf is
disabled. UserCookie v3 is not secure due to storing secret key
for HMAC in source code and identical for all customers. That
can support malicious actors to use this one secret key for
attempts to hijacking user sessions.
- New remediation: Ensure the property
glide.ui.secure.cookies.use_kmf exists
and is set to true. If the property does not appear in the
sys_properties table, add a new record.
- Old remediation: Ensure the property
glide.ui.secure.cookies.use_kmf is set
to true. Which means UserCookie v3.1 will be used and secret key
will be stored in security storage such as KMF.
|
| Set OTP lifetime for password reset to 1 hour [Updated in Security Center 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Log user impersonation [Updated in Security Center 1.3 and 2.0] |
- New remediation: Ensure the property
glide.sys.log_impersonation exists and
is set to true. If the property does not appear in the
sys_properties table, add a new record.
- Old remediation: Ensure the property
glide.sys.log_impersonation is set to
true.
|
| Required jms connection factories [New in Security Center 1.3 and updated in 1.5 and 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Ensure dashboards creation/deletion requires access check [New in Security Center 1.3 and updated in 2.0] |
- New remediation: Ensure the Glide Property
glide.processors.check_access_before_process
exists and is set to the value true. If the property does not
appear in the sys_properties table, add a new record.
- Old remediation: Ensure the value of
glide.processors.check_access_before_process
is always true.
|
| Proactively invalidate inactive sessions [New in Security Center 1.3 and updated in 1.5 and 2.0] |
- New remediation: Ensure the Glide Property
glide.active.session.timeout.invalidate.session
exists and is set to the value true. If the property does not
appear in the sys_properties table, add a new record.
- Old remediation: Set the Glide Property
glide.active.session.timeout.invalidate.session
to true.
|
| Enforce Security Scope for Agent Workspace for HR Case Management [New in Security Center 1.5 and updated in 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Enforce security scope license and permit playbook [New in Security Center 1.5 and updated in 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Restrict Downloadable MIME types [Updated in Security Center 1.3 and 2.0] |
- New description: If the property
glide.ui.attachment.force_download_all_mime_types
is set to true, then the
glide.ui.attachment.download_mime_types
property will be overridden so that all MIME types will be
downloaded rather than rendered by the browser. For example,
downloading text/html forces an HTML file to be downloaded to
the client as a file rather than viewed inline in the browser,
preventing a XSS attack. XSS can lead to easily attained
privilege escalation to higher roles such as admin where more
lateral movement can be taken.
- Old description: If the property
glide.ui.attachment.force_download_all_mime_types
is not set to true, then the
glide.ui.attachment.download_mime_types
property will be overridden so that all MIME types will be
downloaded rather than rendered by the browser. For example,
downloading text/html forces an HTML file to be downloaded to
the client as a file rather than viewed inline in the browser,
preventing a XSS attack. The ability to have XSS can lead to
easily attained privilege escalation to higher roles such as
admin where more lateral movement can be taken.
- New remediation: Ensure the property
glide.ui.attachment.force_download_all_mime_types
is set to true. If the property does not exist in the
sys_properties table, the default value is false.
- Old remediation: Ensure the property
glide.ui.attachment.force_download_all_mime_types
is set to true.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Define restricted downloadable MIME types [Updated in Security Center 1.3, 1.5, and 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Disallow infected file download [Updated in Security Center 1.5 and 2.0] |
- New description: When the property
com.glide.snap.infected_download_allowed
is set to true, users can still download non-scanned attachments
in the case that the antivirus service is down or unreachable.
This means it is possible that a user downloads a malicious file
and risks infecting the user's desktop (in the case there is no
other endpoint protection on the device).
- Old description: If
com.glide.snap.infected_download_allowed
is not set to the recommended value of False, then it is
possible to download a malicious file that has not been scanned
leading to a risk of infecting the user's desktop.
- New remediation: Ensure the property
com.glide.snap.infected_download_allowed
is set to false.
- Old remediation: Ensure the property
com.glide.snap.infected_download_allowed
is set to False.
|
| Restrict access to GlideSystemUserSession scriptable API [Updated in Security Center 1.3 and 2.0] |
- New description:
gs.addErrorMessageNoSanitizationMessaging()
and gs.addInfoMessageNoSanitization() are
used within the scripting environment for logging and
notifications. Both of these are available in the sandbox if
this property is not set to the recommended value of false. The
sandbox is a low privileged scripting environment available to
unauthenticated and no role users. Both of these methods can be
used to display unsanitized input to a user. Displaying
unsanitized input to the user is dangerous, as unsanitized input
may contain dangerous code that runs in the user's browser. This
can be utilized for traditional reflected XSS attacks. Reflected
XSS attacks can be used in multiple scenarios, including session
hijacking.
- Old description: Messaging within the glide scripting sandbox is
used for logging purposes. Calling this unsanitized error
function exposes the platform to reflected XSS attacks. XSS
attacks can allow for easy privilege escalation by stealing
someone's session cookies. If
glide.sandbox.usersession.allow_unsanitized_messages
is not set to the recommended value of false, then the
unsanitized error messaging functions
addErrorMessageNoSanitization and
addInfoMessageNoSanitization are
available to script.
|
| Enable work order management query rules for service organizations [New in Security Center 1.5 and updated in 2.0] |
- New description: When set to true, rules/filters from
sn_query_rule table will be used to determine read access to
Field Service Management-related tables (Work Order and Work
Order Task) to the logged in user through query business rules
and read ACLs. When false, the records won't be filtered based
on query rules. Query business rules add additional security
validations. Specifically, this property will filter records for
agents, qualifiers, and dispatchers based on their assigned
territory or territory membership. It is best practice to follow
the principle of least privilege when reading records. When this
property is not set to true, there may be increased risk of data
exposure from Field Service Management tables.
- Old description: When set to true, rules/filters from
sn_query_rule table will be used to determine read access to
Field Service Management-related tables (Work Order and Work
Order Task) to the logged in user through query business rules
and read ACLs. When false, the records won't be filtered based
on query rules. Query business rules add additional security
validations. Specifically, this property will filter records for
agents, qualifiers, and dispatchers based on their assigned
territory or territory membership. It is best practice to follow
the principle of least privilege when reading records.
|
| Restrict email domains for external user registration [Updated in Security Center 1.3, 1.5, and 2.0] |
- New description: The
sn_ext_usr_reg.allowed_email_domains
property defines which email addresses are allowed to
self-register to a ServiceNow instance. The format should be a
comma separated list of acceptable email domains such as
domain1.com,domain2.com where emails such as example@domain2.com
will be accepted. If
sn_ext_usr_reg.allowed_email_domains is
not set with a list of acceptable domains, then users with any
email address are allowed to register accounts on the instances.
If not defined, malicious actors could perform registration
using emails addresses from unwanted domains to gain
authenticated access to the instance.
- Old description: The
sn_ext_usr_reg.allowed_email_domains
property defines which email addresses are allowed to
self-register to a ServiceNow instance. If
sn_ext_usr_reg.allowed_email_domains is
not set with a list of acceptable domains, then users with any
email address are allowed to register accounts on the instances.
If not defined, malicious actors could perform registration
using emails addresses from unwanted domains to gain
authenticated access to the instance.
|
| Apply domain separation on dot walked fields [Updated in Security Center 1.3, 1.5, and 2.0] |
- New description: This property controls whether join queries are
given domain separated conditions or not, in order to ensure
they apply domain separation functionality for dot walked
fields. If
glide.sys.domain.include_domain_condition_on_join
is not set to the recommended value of true on an instance using
domain separation, then sensitive information could be disclosed
that is not to be shared with a specific domain. There may be
moderate functional impact to the instance if components are
reliant on the unsafe cross domain queries. Instances should be
tested in subproduction environments before enabling.
- Old description: This property controls whether join queries are
given domain separated conditions or not, in order to ensure
they apply domain separation functionality for dot walked
fields. If
glide.sys.domain.include_domain_condition_on_join
is not set to the recommended value of true on an instance using
domain separation, then sensitive information could be disclosed
that is not to be shared with a specific domain.
|
| Enforce URL allowlist check [Updated in Security Center 1.3, 1.5, and 2.0] |
- New remediation: Ensure the property
glide.security.url.whitelist.strict_check
is set to true or the property
glide.security.url.whitelist is set to
a value.
- Old remediation: Ensure the property
glide.security.url.whitelist.strict_check
is set to "true" and the property
glide.security.url.whitelist is set to
a value.
|
| Set guest user for soap requests [Updated in Security Center 1.3 and 2.0] |
Rule Script: Script has been updated to improve detection
accuracy. |
| Restrict access to background script [Updated in Security Center 1.3 and 2.0] |
- New description: This property holds the required role to access
Script Background module. If
glide.script_processor.admin is not set
to the recommended and default value of admin, then users having
a lower privileged role will be able to run background scripts
on the instance. This will lead to a complete bypass of the ACL
system allowing full access to tables.
- Old description: This property holds the required role to access
Script Background module. If
glide.script_processor.admin is not set
to the recommended value of admin, security_admin, or maint,
then users having a lower privileged role will be able to run
background scripts on the instance. This will lead to a complete
bypass of the ACL system allowing full access to tables.
- New remediation: Ensure the property
glide.script_processor.admin is set to
the admin. This is the default value on instances.
- Old remediation: Ensure the property
glide.script_processor.admin is set to
the admin, security_admin, or maint role.
|
| Verify certificate chain and hostname [New in Security Center 1.3 and updated in 2.0] |
- New description: When the Glide Property
com.glide.communications.httpclient.verify_hostname
is not set to the secure value of true, the hostname and
certificate chain presented by remote hosts during a TLS
connection initiated from the ServiceNow instance are not
validated. This could compromise the security of the TLS
connection and allow person-in-the-middle attacks, where
communications between two parties are intercepted. This may
lead to sensitive data disclosure.
- Old description: If
com.glide.communications.httpclient.verify_hostname
is not set to true this could allow person-in-the-middle attacks
where communications between two parties are intercepted.
Setting this property to an insecure value disables the
certificate verification process which evaluates all
certifications in the certificate chain through checking
revocation status. Set this property to true to prevent the http
client from connecting to a potentially harmful hostname.
|
| Control Lockout Time for Invalid Password Reset Attempts [Updated in Security Center 1.3 and 2.0] |
- New short description: Control Lockout Time for
Invalid Password Reset Attempts
- Old short description: Minimize Reset Password Request
Max Attempts Window Duration
- New description: The
password_reset.request.max_attempt_window
property defines the number of minutes a user must wait to reset
or change their password after exceeding the maximum number of
unsuccessful attempts that is set with the
password_reset.request.max_attempt
property. A small number of minutes for the
password_reset.request.max_attempt_window
property increases the risk of successfully brute forcing a
password as a greater number of password reset attempts can be
made. The default of 1440 minutes is recommended.
- Old description: If
password_reset.request.max_attempt_window
is not set to the recommended value of 1440 or less, then it
could be possible to perform account bruteforce as the account
will not be locked after a maximum number of wrong
authentication attempts.
- New remediation: Ensure the property
password_reset.request.max_attempt_window
is set to 1440 or greater.
- Old remediation: Ensure the property
password_reset.request.max_attempt_window
is set to 1440 or less.
- Rule Script: Script has been updated to improve detection
accuracy.
|
| Disable GlideRecord Scope Fencing Legacy Behavior [New in Security Center 1.3 and updated in 1.5 and 2.0] |
- New short description: Disable GlideRecord Scope
Fencing Legacy Behavior
- Old short description: Enable GlideRecord Scope
Fencing Legacy Behavior
- New remediation: Set the Glide Property
glide.record.legacy_cross_scope_access_policy_in_script
to false. When not present in the sys_properties table, the
default value is true.
- Old remediation: Set the Glide Property
glide.record.legacy_cross_scope_access_policy_in_script
to false.
|
| Limit Invalid Password Reset Attempts [Updated in Security Center 1.3 and updated in 2.0] |
- New short description: Limit Invalid Password Reset
Attempts
- Old short description: Minimize Reset Password Request
Max Attempt Allowance
|