Use the ServiceNow Access Control plugin to control which employees can access your instance, and when. Enforcing a default deny posture for all users except those users you specify. This can include ServiceNow employees. Using this plugin helps prevent unwanted access to your instance.

For details on this plugin, see ServiceNow access control.

Select an information security contact within your organization who receives security-related information from the Security Team. This contact is in addition to your admin, who also receives these updates.

This information could be security issues, security alerts, or details about important software updates.

For details on adding a security contact, see KB0621516.

Change the passwords on your instance's built-in user accounts, such as admin, ITIL, and employee. These accounts are provisioned with default passwords, unique to your instance, but should be changed as soon as possible.

For details on how to change the passwords for user accounts on your instance, see Configure password for a user.

Verify that browsers that connect to your instance are using the more secure Transport Layer Security (TLS) 1.2. This change can be made on the browser or enforced by your web proxy or other gateway.

Consult the documentation for your browser, web proxy, or gateway for steps on how to configure those products to use only TLS 1.2.

If your organization uses Sender Policy Framework (SPF) to control inbound email with anti-spam technology, you must configure it to accept email originating from your instance. Configure SPF to query the SPF records dynamically.

If SPF isn’t an option, another approach is to add the mail server IP addresses to your allow list. This configuration must be monitored as the addresses could be subject to change.

For steps and additional details on these solutions, see KB0535456

Restrict attachment uploads by role, file extension, MIME type, or size to help prevent potentially malicious files being stored and then delivered from your instance. You can also control which file types can be downloaded, including by MIME type, and prevent image access by unauthenticated users.

These attachment restrictions are controlled by system properties on your instance. For details on their configuration, see Configure attachment system properties.

Prevent SQL error messages from being presented in the web browser. Though useful to users and developers, these messages can be used by attackers to learn information about your system or to help guide their attempts to access your data. These messages can be turned off using a system property.

For details on this system property, see Disable SQL Error Messages [Updated in Security Center 1.3 and 1.5].

Help ensure strong authentication by disabling password-less authentication when possible. Without disabling password-less authentication, potential attackers could gain access to your instance by correctly guessing a user name (such as firstname.lastname or a role title).

You can disable password-less authentication on your instance using a system property. For details on this property see Disable password-less authentication.

Track changes to your data using table auditing. Auditing tracks the creation, update, and deletion of all records in the table where it’s enabled, enabling admins to track changes to important or sensitive data. Admins can also choose to select specific fields in a table for auditing to see more targeted results or to reduce performance impact.

For details on auditing on instances, see Auditing.

For specific instructions on enabling auditing on a table, see Configuring auditing for a table.

Encrypt your data to maintain its confidentiality and integrity. Data on your instance can be within the database. You can also elect to subscribe to functionality to encrypt the data volume transparently on the backend. The physical disks on which the instance runs can also be encrypted in their entirety to guard data in case of their loss or theft.

You can use different methods of encryption simultaneously for data stored in your instance, depending on your use case and the risks you wish to mitigate. For example, you can choose to transparently encrypt your data at rest using database encryption on most tables, cloud encryption on the entire data volume. You could also use full disk hardware encryption, which also requires a dedicated environment to protect against drive or server theft.

Review the encryption options available with in Key Management Framework.

Use password policies to enforce the length, complexity, expiration, uniqueness, lockout, and more for native and local accounts on your instance. Use these policies to maximize security, encourage the adoption of long passphrases and help to eliminate the use of simple passwords.

You can retain your existing policies for any external authentication services you have integrated, such as LDAP or SAML.

For details on password policy configuration, see Configure your password policy.

Use this feature to create user accounts by email dynamically. Activate this feature only if necessary for your business needs, only after you have defined a list of trusted domains from which accounts can be created. You can also control how passwords are assigned to new accounts created this way.

For details on automatic user creation, see Enable automatic user creation.

Manage access to knowledge bases and articles to help ensure secure and efficient information sharing. You can determine whether certain users or categories of users can access knowledge bases and knowledge articles by controlling contribute and read access.

The specific configuration depends on your business needs. Learn about your options for configuring knowledge access at Managing access to knowledge bases and knowledge articles.

Use the High Security plugin (HSP) to enhance security management and applying appropriate settings. High Security Settings provides a central location for security settings, creates a distinct security administrator role, a default deny property, and other important security features.

HSP is installed and enabled by default on all new instances. You can request HSP activation for older instances, including instances that have had upgrades from an older version. Enabling HSP should be done only after careful testing in a non-production environment, as activation changes some fundamental properties and behaviors.

For more details on the High Security plugin, see Enable High Security Plugin [Updated in Security Center 1.3].

Security information constantly evolves, so it's crucial to stay updated with security resources to keep your information security strong.

Use the following resources to stay informed about security resources:

• CORE Directory: ServiceNow CORE Compliance Portal
• Securing the ServiceNow AI Platform: How ServiceNow protects customer data
• Secure your instance

Use the Security Center Hardening tool to reduce risk by limiting weaknesses that could be exploited, and implement recommended settings to secure your instance further.

Learn more about Security Center at Security Center.

Review the available hardening settings at Hardening settings.

Install patches and platform updates as soon as possible help ensure the highest levels of security for both your instance and those of other customers. Keeping current with updates also enables you to maintain continuous support by conforming to the EOL policy. Use Upgrade Center to help manage the process.

Security fixes are routinely released for the Now Platform via the patches and hot fixes that accompany product feature updates. Upgrading when new patches and hot fixes are available helps reduce the risk of potential vulnerabilities.

Information about Now Platform releases, patches, and hot fixes can be found in the Release Notes section of the product documentation. For more information, see Phase 1 - .

Integrate third-party multi-factor authentication (MFA) with your existing SAML IdP to provide additional login security. MFA provides a high level of security because authentication requires multiple authentication factors. Something the user knows (the password) as well as something they own (a one-time code, mobile phone, or biometric attributes, such as a fingerprint).

Learn more about MFA integration at Multi-factor authentication.

Control which domains and users your instance can communicate with via email by using system address filters. These filters can be customized to your requirements.

Learn how to configure trusted domains at Designate email domains as untrusted or trusted.

Learn more about system logs in System logs.

Monitor for unusual activity such as high numbers of failed logins, especially within short time frames. You can create alerts to send emails when a threshold you define is exceeded.

Learn how to configure these thresholds at Indicator thresholds.

Review the My security metrics dashboard to see the available security metrics for your instance, and set thresholds to generate email notifications for notable activity. Examples of notable activity can include:

Privilege escalation

Unexpected modifications made to privileged roles, such as Admin, ITIL_Admin, or any other roles with higher privileges could indicate suspicious actions.

Failed logins

Unusual numbers or patterns of failed logins can reveal potential brute force attempts or password spray attacks.

Admins and high privilege users added

New admin account creation should be checked for validity to help to prevent attempts at unauthorized privileged access.

Ensure that your instances are in compliance with the latest security hardening metrics using the Hardening tool in Security Center. Access this tool in a non-production instance assess impact to your environment. Ideally, the score should be as close to 100% as possible with a minimum score of 83%, without affecting product functionality.

Learn more about Security Center's hardening settings tool at Hardening settings.

Help to ensure that your instance is secure and resistant to unauthorized access as possible using secure coding practices. The ServiceNow Secure Coding guide for Instance developers provides an overview of application security-related GlideScriptable classes and methods offered by ServiceNow. This guide is designed to assist and educate developers while creating and modifying the code on the target Instance. Review the guide at ServiceNow Secure Coding guide for Instance developers.

Help prevent unwanted access to your instance by deactivating the Remember Me feature. When active, this feature stores a cookie is on the user's computer, which automatically authenticates the user on subsequent visits. This can present security issues if users access your instance from an insecure endpoint, such as a shared computer.

Learn more about this feature, and how to deactivate it in Remember me.

Help prevent unauthorized access to your instance by restricting access from IP addresses unrelated to your organization. Anyone trying to access the instance from an unauthorized IP address are denied. If using this approach, consider allowing only your gateway or web proxy external addresses, as well as addresses from which your users access the instance from, including remote users. You can restrict both outbound and inbound access by IP address.

Learn how to restrict access to your instance by IP address in Restrict access to specific IP ranges plugin [Updated in Security Center 1.3].

Protect your instance against password spray attacks. These attacks attempt to gain access by testing a commonly used password against multiple accounts in succession.

Learn more about spray attacks, and how to protect your instances from them in Password Spray Attack Mitigating Strategies.

Understand your shared role as a customer in maintaining the security of your instances by reviewing the Shared Responsibility Model. The Shared Responsibility Model defines the partnership between and the customer, both with specific responsibilities.

Learn more at ServiceNow Shared Responsibility Model.

Archive your log data to retain it beyond the default 21-day log rotation period. This archival can be achieved using web services requests, the data export feature, the MID Server, or the Log Export Service from the Vault package.

Use the following resources to learn more about these methods:

• Web services
• Exploring Log Export Service (LES)

Learn how to use the Key Management Framework (KMF) to protect the data on your instance using Role-Based Access Control (RBAC). KMF uses cryptographic modules, which enable you to define what data on your instance is encrypted, and what method of encryption to use. Using multiple modules, you can encrypt different areas of your instance with different specifications.

Learn how KMF and its components are used to encrypt your data at Exploring the Key Management Framework.

Learn about cryptographic modules in Cryptographic module overview.

Configure traffic to your integration providers using REST/SOAP connections to use certificate-based authentication. Secure Socket Layer (SSL) certificate authentication encrypts data in transit, helping to prevent it from being read as it is sent.

Learn more about this configuration in Configure mutual authentication.

Integrate third-party multi-factor authentication (MFA) with your existing SAML IdP to provide additional login security. MFA provides a high level of security because authentication requires multiple authentication factors. Something the user knows (the password) as well as something they own (a one-time code produced by an MFA token or mobile phone, or biometric attributes, such as a fingerprint).

ServiceNow supports direct MFA integration with local accounts, LDAP, SSO with SAML, OIDC, or Digest.

Adaptive Authentication is a prerequisite for SSO with MFA.

MFA can be enabled for specified users and specified roles, and configured for ease of use. For example you can exempt recognized devices for a number of hours.

You can view metrics for MFA use in the Security Center.

Learn more about SAML authentication using these resources:

• SAML 2.0 concepts
• SAML 2.0 configuration using Multi-Provider SSO

Create email filters to filter out messages marked as suspicious by ServiceNow Antivirus Protection. In addition to virus protection, Antivirus Protection analyzes email for malware and SPAM, scoring and the results adding this information to the message in x-headers. You can use these headers as criteria for the Email Filters Plugin to act on if desired.

Learn more about ServiceNow's antivirus feature at Antivirus Scanning.

Learn how to configure email filters on your instance at Email filters.

Use the ServiceNow syslog probe to send log messages from your instance to a Security Information and Event Manager (SIEM). An SIEM is third-party software or service that can be used for activity monitoring and identifying security events.

Learn more about ServiceNow syslog probe configuration at Syslog probe.

Consider using your own (or third-party) infrastructure to send and receive instance-related email and benefit from more precise perimeter email control.