ServiceNow: How to harden your instance - my notes

A while ago I was tasked to prepare an instance for some penetration testing. Turns out this is a thing you can do pretty easily.

So to start with you need to know what ServiceNow requires of you. Here's that KB.

At the time of writing you need these pre-requirements;

  • Instance must be on most recent patch of supported family.
  • Instance must be unpinned.
  • Instance cannot be production.
  • Instance must have High Security Plugin enabled.
  • Instance must be hardened.
  • You can only test once per calendar year, additional testing incurs cost.

That hardening guide on the HI site is really thorough. The only things we couldn't do by ourselves was "Check Whitelist Package Calls" and "Check Whitelist Member Calls". This will be an issue if you've been granted access to use something the like ZipFile java class to zip some files from the server.

There's a great share my copy that gets you most the way there I'd suggest starting there. You may need to configure some things like what file extensions you'll allow but its easier to do this then to manually create each property. Also it checks for default accounts and passwords.