CSA Guide

Instance Security Hardening Best Practices

Introduction

Out of the box, ServiceNow comes with reasonable default security settings — but "reasonable defaults" are not "production hardened." Enterprise instances storing sensitive HR, financial, and operational data require deliberate security configuration. This guide provides the key hardening steps every ServiceNow administrator should apply.


Authentication and Session Security

Multi-Factor Authentication

Enable MFA for all users, especially administrators:

System Properties > Security > Enable multi-factor authentication
Property: glide.ui.security.mfa_enabled = true

For enterprise deployments, integrate with your identity provider (Okta, Azure AD, Ping) via SAML 2.0 or OAuth.

Session Timeout

Set appropriate session timeouts to limit exposure from unattended sessions:

Property: glide.ui.session.timeout = 30 (minutes)
Property: glide.ui.session.timeout.warning = 5 (minutes before timeout)

Password Policy

User Administration > Password Policy

Configure minimum complexity requirements, expiry periods, and history restrictions. For SSO implementations, defer to the identity provider's policy.


ACL and Permission Hardening

Enable Strict Mode

This is the single most important security property:

Property: glide.security.strict_mode = true

With strict mode on, any table or field without a matching ACL is inaccessible. Without it, unprotected objects are readable by all authenticated users.

Security Admin Plugin

Enable the Security Admin elevated privilege requirement:

System > Plugins > Security Jump Start

Once active, even admin users must activate the security_admin role in their session before modifying ACLs.

Review Table-Level ACLs

Audit tables that contain sensitive data for missing or overly permissive ACLs:

  • hr_case (HR cases)
  • sn_hr_core_case (HR Core)
  • sys_user (User records)
  • u_salary, custom compensation tables
  • Any custom tables created by your team

Admin Account Security

Minimize Admin Role Holders

// Background Script — find active admin users
var gr = new GlideRecord('sys_user_has_role');
gr.addQuery('role.name', 'admin');
gr.addQuery('user.active', true);
gr.query();
while (gr.next()) {
    gs.info(gr.user.user_name + ' | ' + gr.user.getDisplayValue());
}

Produce this list quarterly. Every admin account is an attack surface. Developers who needed admin to debug a configuration should have it revoked after the issue is resolved.

Service Account Hygiene

Service accounts used for integrations:

  • Must have only the minimum roles required
  • Must never have admin role
  • Must have non-expiring passwords managed in a secrets vault
  • Must be audited when the integrations they serve are decommissioned

Network and API Security

IP Allowlisting for Admin Access

Restrict admin login to known corporate IP ranges:

System Security > IP Address Access Control

Configure rules that deny admin role activation from unexpected source IPs.

Mutual Authentication for Integrations

For machine-to-machine API integrations, use mutual TLS or OAuth 2.0 client credentials rather than Basic Authentication.

REST API Rate Limiting

Prevent API abuse:

System Properties > Inbound REST Rate Limiting
Property: glide.rest_api.throttle.enabled = true

Data Protection

Encrypted Fields

For fields containing credentials, keys, or highly sensitive PII:

System Security > Encryption Support > Encryption Configuration

Mark fields as encrypted-at-rest. Note that encrypted fields cannot be used in search conditions.

Attachment Security

Restrict attachment types to prevent malicious file uploads:

System Properties > Email
Property: glide.attachment.extensions.blocked = exe,bat,sh,ps1,vbs

Audit Logging

Auditing Critical Tables

Enable field-level audit logging for sensitive tables:

System Definition > Tables → select table → Dictionary Entries
Check "Audit" on each sensitive field

At minimum, audit:

  • sys_user — user role changes
  • sys_user_has_role — role assignments
  • sys_acl — ACL modifications
  • HR and finance tables

Audit Log Review

Schedule monthly reviews of:

  • New admin role assignments
  • ACL changes
  • Password resets on service accounts
  • Failed login attempts (accessible via the login audit log)

Security Best Practices Checklist

  • Enable glide.security.strict_mode = true
  • Activate Security Jump Start plugin
  • Configure MFA or SSO integration
  • Set session timeout ≤ 60 minutes
  • Audit admin role holders quarterly
  • Remove admin from all integration service accounts
  • Enable field-level auditing on sensitive tables
  • Review ACLs on custom tables for missing DELETE controls
  • Configure IP allowlisting for admin UI access
  • Test all security configurations using the Security Debug tool
  • Schedule monthly security log reviews

Conclusion

ServiceNow instances grow over time — more custom tables, more integrations, more users. Security hardening is not a one-time activity; it requires quarterly audits, regular review of role assignments, and disciplined handling of service accounts. The checklist above gives you a starting point. Treat it as a living document that evolves with your instance.

Keep reading this guide

Log in to access the full study guide and supercharge your preparation.