Hardening settings

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Hardening settings

    The ServiceNow Security Center (SSC) provides hardening settings that detail security-related system properties and plugins within the ServiceNow AI Platform. These settings can be managed through the Security Center’s hardening settings app, which calculates a daily compliance score indicating how closely your instance's security settings align with recommended compliance values.

    Show full answer Show less

    Each hardening setting includes attributes such as configuration name, type, data type, recommended and default values, security risk severity (using CVSS scoring), dependencies, functional impact, and reference documentation. Some configurations require assistance from ServiceNow Customer Service and Support.

    Key Features

    • Compliance Scoring: Daily percentage score reflecting your instance’s security compliance based on recommended hardening settings.
    • Comprehensive Configuration Details: Each setting includes important metadata to help you understand its purpose, impact, and security risk rating.
    • Security Risk Assessment: Uses CVSS scoring (0.0-10.0) to classify vulnerabilities from None to Critical, helping prioritize remediation efforts.
    • Category-Based Controls: Hardening settings are organized into categories such as Access Control, API and Web Service, Authentication, Communications, Data Protection, and more, covering a broad range of security domains.
    • Integration with Security Center: Manage and adjust security configurations directly within the Security Center interface.

    Security Categories Explained

    • Access Control: Protect resources by managing permissions and credentials effectively.
    • API and Web Service: Ensure APIs have robust authentication, authorization, and input validation.
    • Architecture, Design, and Threat Modeling: Incorporate secure design principles including confidentiality, integrity, and privacy.
    • Authentication: Implement modern authentication methods resistant to impersonation and interception.
    • Business Logic: Maintain secure application logic flow to prevent bypass and attacks.
    • Communications: Use strong encryption standards, TLS versions, and secure certificates for all connections.
    • Configuration: Maintain secure build environments and hardened third-party libraries.
    • Data Protection: Ensure confidentiality, integrity, and availability of data.
    • Error Handling and Logging: Manage logged information to avoid exposing sensitive data.
    • File and Resources: Securely handle files and data from untrusted sources.
    • Malicious Code: Ensure code is free from vulnerabilities and unwanted functionality.
    • Session Management: Secure user sessions with unique, unguessable tokens and proper invalidation.
    • Stored Cryptography: Use established algorithms for encrypting stored data and manage keys securely.
    • Validation, Sanitization, and Encoding: Protect against injection attacks like XSS and SQL injection by validating inputs properly.

    Practical Benefits for ServiceNow Customers

    By leveraging the Security Center’s hardening settings, ServiceNow customers can:

    • Continuously monitor and improve instance security compliance with actionable scores.
    • Understand the security impact and risks associated with each configuration setting.
    • Manage security settings in a centralized interface with guidance aligned to industry best practices.
    • Prioritize security improvements based on severity and potential impact to your environment.
    • Access detailed documentation and recommendations to support secure configuration and operation of your ServiceNow instance.

    The ServiceNow Security Center (SSC) hardening settings content contains detailed descriptions and compliance values for the security-related system properties and plugins in the ServiceNow AI Platform. You can set these properties using the hardening settings app in the Security Center.

    Overview and purpose

    The Security Center calculates a daily compliance score, expressed as a percentage that is based on how compliant your current instance security settings are with the compliance values in Security Center hardening settings.

    You can manage the specific security configuration settings that may affect the score for your instance directly from the Security Center.

    The hardening settings configurations are explained with several attributes described in the table.

    Table 1. Hardening settings configuration details
    Configuration attribute Description
    Overview Provides a high level overview of the recommendation.
    Configuration name The property or plugin name.
    Configuration type Describes where the property can be configured outside of the Security Center, such as in system properties (sys_properties_list.do).
    Data type Describes the type of value required for the configuration. Examples are true/false boolean, installation, plugin, string, etc.
    Recommended value The value that is recommended by the Security Center to enhance security compliance in your instance.
    Default value The value that the configuration is set to in the base system.
    Category The name and link to the category for the hardening setting.
    Security risk Severity score: The score indicates the potential security risk to your instance as per the likelihood of the vulnerability to be exploited. The security vulnerability is considered and scored individually using the CVSS (Common Vulnerability Scoring System) score on a scale ranging from 0.0 to 10.0. See https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator for additional information.
    Severity rating per CVSS score:
    • Critical: 9.0-10.0
    • High: 7.0-8.9
    • Medium: 4.0-6.9
    • Low: .01-3.9
    • None: 0.0
    Security risk details: Describes the importance of the setting configuration and the risk of not utilizing the recommended configuration.

    Dependencies and prerequisites

    		 Related settings or configurations that are required before or in conjunction with the hardening configuration.
    Functional impact The impact this hardening setting has on the operation of your instance.
    References Links to configuration documentation or other helpful information.
    Note:
    Some of the configurations can only be completed by Customer Service and Support and will be indicated as such.

    To learn more about ensuring your instances meet hardening requirements, see Security hardening.

    Other resources

    For user reference, the ServiceNow AI Platform maintains extensive configuration capabilities information in the product documentation. You access most of the security content using the links found in Secure your instance. Also, see the following: