New hardening settings for baseline version 2.0
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of New hardening settings for baseline version 2.0
The Security Center version 2.0 baseline introduces multiple new and updated hardening settings designed to enhance the security posture of ServiceNow instances. These settings focus on access controls, session management, data protection, and secure integration practices to help customers safeguard their platforms against unauthorized access and potential vulnerabilities.
Show less
Key Features
- Access Control Enhancements: Includes settings such as ensuring archive table ACLs are checked, enforcing scoped ACL access for information request playbooks, requiring write access for service catalog item additions, and restricting knowledge base access.
- Session and Authentication Controls: Features proactive invalidation of inactive sessions, limiting active session lifespans for integrations, UI, and guests, defining exception roles for active session timeouts, and enforcing captcha requirements for guest access.
- Data and Integration Security: Enforces certificate revocation checks including OCSP on network errors, enabling hardened Java Security Manager, requiring credential alias usage, secure insert operations in import set API, and restricting OAuth parameters to POST body.
- Audit and Logging Improvements: Enables MID audit logs and session audit event logging to increase transparency and traceability of system activities.
- Additional Protections: Settings to disable target cloning, enforce device encryption and passcode requirements, restrict HR case updates from personal emails, hide user comments on articles, and enforce secure referrer and content security policies.
Key Outcomes
By adopting the new hardening settings in baseline version 2.0, ServiceNow customers can expect stronger platform security through improved access governance, session control, and data integrity safeguards. These settings help reduce attack surfaces, enforce stricter authentication and authorization policies, and ensure compliance with security best practices. Customers will benefit from enhanced protection of sensitive data, more secure integrations, and better auditability of system activities.
Here's a list of all the new hardening settings released with the Security Center version 2.0 baseline.
- Ensure archive table ACLs are checked [New in Security Center 1.3 and updated in 1.5]
- Enforce application scope restrictions [New in Security Center 1.3 and removed in 1.5]
- Enable the hardened java security manager [New in Security Center 1.3]
- Verify certificate revocation [New in Security Center 1.3]
- Require clearing pasteboard when backgrounding mobile application [New in Security Center 1.3 and updated in 1.5]
- Enable protected tables plugin [New in Security Center 1.3]
- Enforce strict elevate privilege [New in Security Center 1.3]
- Limit integrations' active session life span [New in Security Center 1.3]
- Proactively invalidate inactive sessions [New in Security Center 1.3 and updated in 1.5 and 2.0]
- Enable MID audit log [New in Security Center 1.3 and updated in 1.5]
- Use of secure insert multiple operation within import set API [New in Security Center 1.3]
- Enforce OCSP check on network error [New in Security Center 1.3 and updated in 2.0]
- Enforce security rules to sharing dashboards [New in Security Center 1.3]
- Restrict oauth parameters to POST body [New in Security Center 1.3]
- Limit attachment size in training and prediction flows for GraphQL endpoints [New in Security Center 1.3 and updated in 1.5]
- Disable GlideRecord Scope Fencing Legacy Behavior [New in Security Center 1.3 and updated in 1.5 and 2.0]
- Enforce credential alias usage [New in Security Center 1.3 and updated in 1.5]
- Required jms connection factories [New in Security Center 1.3 and updated in 1.5 and 2.0]
- Limit attachment size in training and prediction flows [New in Security Center 1.3 and updated in 1.5]
- Log session audit events [New in Security Center 1.3 and updated in 1.5]
- Require write access to access service catalog add item page [New in Security Center 1.3]
- Define active session timeout exception roles [New in Security Center 1.3]
- Certificate based authentication not enforced [New in Security Center 1.3]
- Enforce scoped ACL access for information request playbooks [New in Security Center 1.3 and updated in 1.5]
- Hide user comments on articles [New in Security Center 1.3]
- Ensure dashboards creation/deletion requires access check [New in Security Center 1.3 and updated in 2.0]
- Enforce device encryption and passcode requirements [New in Security Center 1.3]
- Validate file mime type in AttachmentCreator soap web service [New in Security Center 1.3 and updated in 1.5]
- Verify certificate revocation [New in Security Center 1.3]
- Check impersonation on ACL evaluation in HR App [New in Security Center 1.3 and updated in 1.5]
- Require captcha for guest walk-up experience in customer service application [New in Security Center 1.3 and updated in 1.5]
- Require Authentication on Event Management HTTP Processor [New in Security Center 1.3, Updated in 1.5, and removed in 2.0]
- Limit guest's active session life span [New in Security Center 1.3]
- Disallow target cloning [New in Security Center 1.3]
- Set safe content security policy for svg files [New in Security Center 1.3]
- Anti-CSRF token validation time [New in Security Center 1.3]
- Restrict knowledge bases access [New in Security Center 1.3]
- Enforce scope security for public sector digital services [New in Security Center 1.3]
- Restrict HR case updates from personal emails [New in Security Center 1.3 and updated in 1.5]
- Limit UI active session life span [New in Security Center 1.3]
- Enforce secure referrer policy [New in Security Center 1.3]