Instance Security Hardening Best Practices
Introduction
Out of the box, ServiceNow comes with reasonable default security settings — but "reasonable defaults" are not "production hardened." Enterprise instances storing sensitive HR, financial, and operational data require deliberate security configuration. This guide provides the key hardening steps every ServiceNow administrator should apply.
Authentication and Session Security
Multi-Factor Authentication
Enable MFA for all users, especially administrators:
System Properties > Security > Enable multi-factor authentication
Property: glide.ui.security.mfa_enabled = true
For enterprise deployments, integrate with your identity provider (Okta, Azure AD, Ping) via SAML 2.0 or OAuth.
Session Timeout
Set appropriate session timeouts to limit exposure from unattended sessions:
Property: glide.ui.session.timeout = 30 (minutes)
Property: glide.ui.session.timeout.warning = 5 (minutes before timeout)
Password Policy
User Administration > Password Policy
Configure minimum complexity requirements, expiry periods, and history restrictions. For SSO implementations, defer to the identity provider's policy.
ACL and Permission Hardening
Enable Strict Mode
This is the single most important security property:
Property: glide.security.strict_mode = true
With strict mode on, any table or field without a matching ACL is inaccessible. Without it, unprotected objects are readable by all authenticated users.
Security Admin Plugin
Enable the Security Admin elevated privilege requirement:
System > Plugins > Security Jump Start
Once active, even admin users must activate the security_admin role in their session before modifying ACLs.
Review Table-Level ACLs
Audit tables that contain sensitive data for missing or overly permissive ACLs:
hr_case(HR cases)sn_hr_core_case(HR Core)sys_user(User records)u_salary, custom compensation tables- Any custom tables created by your team
Admin Account Security
Minimize Admin Role Holders
// Background Script — find active admin users
var gr = new GlideRecord('sys_user_has_role');
gr.addQuery('role.name', 'admin');
gr.addQuery('user.active', true);
gr.query();
while (gr.next()) {
gs.info(gr.user.user_name + ' | ' + gr.user.getDisplayValue());
}
Produce this list quarterly. Every admin account is an attack surface. Developers who needed admin to debug a configuration should have it revoked after the issue is resolved.
Service Account Hygiene
Service accounts used for integrations:
- Must have only the minimum roles required
- Must never have
adminrole - Must have non-expiring passwords managed in a secrets vault
- Must be audited when the integrations they serve are decommissioned
Network and API Security
IP Allowlisting for Admin Access
Restrict admin login to known corporate IP ranges:
System Security > IP Address Access Control
Configure rules that deny admin role activation from unexpected source IPs.
Mutual Authentication for Integrations
For machine-to-machine API integrations, use mutual TLS or OAuth 2.0 client credentials rather than Basic Authentication.
REST API Rate Limiting
Prevent API abuse:
System Properties > Inbound REST Rate Limiting
Property: glide.rest_api.throttle.enabled = true
Data Protection
Encrypted Fields
For fields containing credentials, keys, or highly sensitive PII:
System Security > Encryption Support > Encryption Configuration
Mark fields as encrypted-at-rest. Note that encrypted fields cannot be used in search conditions.
Attachment Security
Restrict attachment types to prevent malicious file uploads:
System Properties > Email
Property: glide.attachment.extensions.blocked = exe,bat,sh,ps1,vbs
Audit Logging
Auditing Critical Tables
Enable field-level audit logging for sensitive tables:
System Definition > Tables → select table → Dictionary Entries
Check "Audit" on each sensitive field
At minimum, audit:
sys_user— user role changessys_user_has_role— role assignmentssys_acl— ACL modifications- HR and finance tables
Audit Log Review
Schedule monthly reviews of:
- New admin role assignments
- ACL changes
- Password resets on service accounts
- Failed login attempts (accessible via the login audit log)
Security Best Practices Checklist
- Enable
glide.security.strict_mode = true - Activate Security Jump Start plugin
- Configure MFA or SSO integration
- Set session timeout ≤ 60 minutes
- Audit admin role holders quarterly
- Remove
adminfrom all integration service accounts - Enable field-level auditing on sensitive tables
- Review ACLs on custom tables for missing DELETE controls
- Configure IP allowlisting for admin UI access
- Test all security configurations using the Security Debug tool
- Schedule monthly security log reviews
Conclusion
ServiceNow instances grow over time — more custom tables, more integrations, more users. Security hardening is not a one-time activity; it requires quarterly audits, regular review of role assignments, and disciplined handling of service accounts. The checklist above gives you a starting point. Treat it as a living document that evolves with your instance.