Hardening settings

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hardening settings

    The ServiceNow Security Center (SSC) hardening settings provide detailed descriptions and compliance values for security-related system properties and plugins within the ServiceNow AI Platform. These settings can be managed directly via the hardening settings app in the Security Center, which calculates a daily compliance score reflecting how closely your instance’s security configurations align with recommended standards.

    Show full answer Show less

    This compliance score helps you monitor and improve the security posture of your instance by adjusting configurations to meet best practice hardening values.

    Hardening Settings Configuration

    Each hardening setting includes several important attributes to guide your security decisions:

    • Overview: High-level description of the recommendation.
    • Configuration name and type: Identifies the system property or plugin and where it can be configured (e.g., system properties list).
    • Data type: Specifies the expected value format (boolean, string, plugin, etc.).
    • Recommended and default values: Indicates the advised configuration for compliance and the system’s default setting.
    • Category: Classifies the hardening setting into specific security areas such as Authentication or API security.
    • Security risk and severity score: Shows the potential risk level using CVSS scoring (0.0 to 10.0), with severity ratings from None to Critical.
    • Security risk details: Explains the importance and consequences of not applying the recommended values.
    • Dependencies and prerequisites: Notes any related settings required before or alongside the hardening configuration.
    • Functional impact: Describes how the setting affects your instance's operation.
    • References: Provides links to relevant documentation for deeper understanding.

    Note that some hardening settings require intervention by Customer Service and Support, which will be clearly indicated.

    Security Categories Covered

    The hardening settings span multiple critical security domains, enabling you to comprehensively secure your instance:

    • Access control: Protects resources by managing permissions and roles to prevent unauthorized access.
    • API and web service: Ensures authentication, authorization, input validation, and security controls for APIs.
    • Architecture, design, and threat modeling: Addresses secure design principles including confidentiality, integrity, and availability, plus secure software development lifecycle elements.
    • Authentication: Covers modern authentication methods to prevent impersonation and password interception.
    • Business Logic: Ensures logical flow integrity and protection against automated attacks and privilege escalation.
    • Communications: Enforces strong encryption standards, TLS versions, cipher suites, and certificate trust.
    • Configuration: Promotes secure build pipelines and hardened third-party components to avoid deploying vulnerable code.
    • Data protection: Focuses on maintaining data confidentiality, integrity, and availability.
    • Error handling and logging: Controls the quality and exposure of log data.
    • File and resources: Ensures secure handling and storage of untrusted files and data.
    • Malicious code: Promotes code free from vulnerabilities and unwanted functionality.
    • Session management: Secures user session integrity, uniqueness, and expiration.
    • Stored cryptography: Covers encryption of stored data, secure key management, and use of established cryptographic standards.
    • Validation, sanitization, and encoding: Protects against injection attacks by enforcing strict input validation.

    Practical Benefits for ServiceNow Customers

    By leveraging the hardening settings in the Security Center, customers can:

    • Continuously monitor and improve their instance’s security compliance score.
    • Understand and apply recommended security configurations tailored to their environment.
    • Mitigate risks associated with vulnerabilities through prioritized severity ratings.
    • Ensure compliance with best practices across multiple security domains critical to enterprise security.
    • Access detailed documentation and support for implementing complex or restricted configurations.

    This approach enables a proactive security posture, helping protect your ServiceNow instance from unauthorized access, data breaches, and other common threats.

    The ServiceNow Security Center (SSC) hardening settings content contains detailed descriptions and compliance values for the security-related system properties and plugins in the ServiceNow AI Platform. You can set these properties using the hardening settings app in the Security Center.

    Overview and purpose

    The Security Center calculates a daily compliance score, expressed as a percentage that is based on how compliant your current instance security settings are with the compliance values in Security Center hardening settings.

    You can manage the specific security configuration settings that may affect the score for your instance directly from the Security Center.

    The hardening settings configurations are explained with several attributes described in the table.

    Table 1. Hardening settings configuration details
    Configuration attribute Description
    Overview Provides a high level overview of the recommendation.
    Configuration name The property or plugin name.
    Configuration type Describes where the property can be configured outside of the Security Center, such as in system properties (sys_properties_list.do).
    Data type Describes the type of value required for the configuration. Examples are true/false boolean, installation, plugin, string, etc.
    Recommended value The value that is recommended by the Security Center to enhance security compliance in your instance.
    Default value The value that the configuration is set to in the base system.
    Category The name and link to the category for the hardening setting.
    Security risk Severity score: The score indicates the potential security risk to your instance as per the likelihood of the vulnerability to be exploited. The security vulnerability is considered and scored individually using the CVSS (Common Vulnerability Scoring System) score on a scale ranging from 0.0 to 10.0. See https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator for additional information.
    Severity rating per CVSS score:
    • Critical: 9.0-10.0
    • High: 7.0-8.9
    • Medium: 4.0-6.9
    • Low: .01-3.9
    • None: 0.0
    Security risk details: Describes the importance of the setting configuration and the risk of not utilizing the recommended configuration.

    Dependencies and prerequisites

    		 Related settings or configurations that are required before or in conjunction with the hardening configuration.
    Functional impact The impact this hardening setting has on the operation of your instance.
    References Links to configuration documentation or other helpful information.
    Note:
    Some of the configurations can only be completed by Customer Service and Support and will be indicated as such.

    To learn more about ensuring your instances meet hardening requirements, see Security hardening.

    Other resources

    For user reference, the ServiceNow AI Platform maintains extensive configuration capabilities information in the product documentation. You access most of the security content using the links found in Secure your instance. Also, see the following: