ServiceNow: How to harden your instance - my notes

I had to prepare an instance for some penetration testing. Turns out this is pretty easy.

So to start with you need to know what ServiceNow requires of you. Here's that KB.

At the time of writing you need these pre-requirements;

  • Instance must be on most recent patch of supported family.
  • Instance must be unpinned.
  • Instance cannot be production.
  • Instance must have High Security Plugin enabled.
  • Instance must be hardened.
  • You can test once per calendar year, extra testing incurs cost.

That hardening guide on the HI site Docs is thorough. We needed HI to "Check Whitelist Package Calls" and "Check Whitelist Member Calls". This will be an issue if you've been granted access to use something the like ZipFile java class to zip some files from the server.

There's a great share (my copy) that gets you most the way there. I'd suggest starting there. You may need to configure some properties like what file extensions you'll allow but its easier to do this then to manually create each property. Also it checks for default accounts and passwords.