Hardening settings

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hardening settings

    The ServiceNow Security Center provides hardening settings that define security-related system properties and plugins within the ServiceNow AI Platform. These settings help you assess and improve your instance’s security compliance by comparing your configuration against recommended values. The Security Center calculates a daily compliance score based on this comparison, allowing you to manage and enhance your security posture directly from the Security Center interface.

    Show full answer Show less

    Key Features

    • Hardening Settings Attributes: Each configuration includes an overview, property/plugin name, location of configuration, data type, recommended and default values, category, security risk score (using CVSS), dependencies, functional impact, and references.
    • Security Risk Scoring: Uses the CVSS scoring system (0.0 to 10.0) to quantify potential security risks, categorized from None to Critical, helping prioritize remediation efforts.
    • Configuration Management: Some settings require Customer Service and Support intervention, indicated accordingly.
    • Integrated Documentation and Resources: Links to detailed configuration guides and security content are accessible within the Security Center and ServiceNow product documentation.

    Security Categories Covered

    The hardening settings encompass a broad range of security domains critical to enterprise security:

    • Access Control: Protects resources through permission models and credential validation.
    • API and Web Service: Ensures secure authentication, authorization, input validation, and session management for APIs.
    • Architecture, Design, and Threat Modeling: Addresses secure design principles including availability, confidentiality, integrity, non-repudiation, privacy, and secure software development lifecycle.
    • Authentication: Implements modern authentication controls to prevent impersonation and password interception.
    • Business Logic: Validates application-specific logic to prevent bypasses, automated attacks, and privilege escalations.
    • Communications: Ensures strong encryption, TLS versions, cipher suites, trusted certificates, and encrypted component connections.
    • Configuration: Promotes secure build environments, hardened third-party components, and automated testing for vulnerability prevention.
    • Data Protection: Focuses on confidentiality, integrity, and availability of data.
    • Error Handling and Logging: Controls logging quality and prevents sensitive information exposure.
    • File and Resources: Safeguards handling and storage of untrusted file data with limited permissions.
    • Malicious Code: Ensures code is free from vulnerabilities and unwanted behaviors.
    • Session Management: Secures user session uniqueness, token management, cookie attributes, and session invalidation.
    • Stored Cryptography: Covers secure encryption practices, key management, and data classification-based encryption.
    • Validation, Sanitization, and Encoding: Prevents common input-based attacks such as XSS and SQL injection through robust validation.

    Practical Benefits for ServiceNow Customers

    • Provides a structured and measurable approach to securing your ServiceNow instance.
    • Enables continuous security compliance monitoring with daily scoring and actionable recommendations.
    • Supports prioritization of security efforts based on defined severity levels and risk impact.
    • Facilitates centralized management and documentation access for security configuration.
    • Helps align your instance with best practices in security design, authentication, data protection, and operational integrity.

    The ServiceNow, Inc. Security Center hardening settings content contains detailed descriptions and compliance values for the security-related system properties and plugins in the ServiceNow AI Platform. You can set these properties using the hardening settings app in the Security Center.

    Overview and purpose

    The Security Center calculates a daily compliance score, expressed as a percentage that is based on how compliant your current instance security settings are with the compliance values in Security Center hardening settings.

    You can manage the specific security configuration settings that may affect the score for your instance directly from the Security Center.

    The hardening settings configurations are explained with several attributes described in the table.

    Table 1. Hardening settings configuration details
    Configuration attribute Description
    Overview Provides a high level overview of the recommendation.
    Configuration name The property or plugin name.
    Configuration type Describes where the property can be configured outside of the Security Center, such as in system properties (sys_properties_list.do).
    Data type Describes the type of value required for the configuration. Examples are true/false boolean, installation, plugin, string, etc.
    Recommended value The value that is recommended by the Security Center to enhance security compliance in your instance.
    Default value The value that the configuration is set to in the base system.
    Category The name and link to the category for the hardening setting.
    Security risk Severity score: The score indicates the potential security risk to your instance as per the likelihood of the vulnerability to be exploited. The security vulnerability is considered and scored individually using the CVSS (Common Vulnerability Scoring System) score on a scale ranging from 0.0 to 10.0. See https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator for additional information.
    Severity rating per CVSS score:
    • Critical: 9.0-10.0
    • High: 7.0-8.9
    • Medium: 4.0-6.9
    • Low: .01-3.9
    • None: 0.0
    Security risk details: Describes the importance of the setting configuration and the risk of not utilizing the recommended configuration.

    Dependencies and prerequisites

    		 Related settings or configurations that are required before or in conjunction with the hardening configuration.
    Functional impact The impact this hardening setting has on the operation of your instance.
    References Links to configuration documentation or other helpful information.
    Note:
    Some of the configurations can only be completed by Customer Service and Support and will be indicated as such.

    To learn more about ensuring your instances meet hardening requirements, see Security hardening.

    Other resources

    For user reference, the ServiceNow AI Platform maintains extensive configuration capabilities information in the product documentation. You access most of the security content using the links found in Secure your instance. Also, see the following: