I had to prepare an instance for some penetration
testing. Turns out this is pretty easy.

So to start with you need to know what ServiceNow requires of you.
Here's that KB.

At the time of writing you need these pre-requirements;

  • Instance must be on most recent patch of supported family.
  • Instance must be unpinned.
  • Instance cannot be production.
  • Instance must have High Security Plugin enabled.
  • Instance must be hardened.
  • You can test once per calendar year, extra testing incurs
    cost.

That hardening guide on the HI site Docs is thorough. We needed HI to "Check Whitelist Package Calls" and
"Check Whitelist Member Calls". This will be an issue if you've been granted access to use something the like ZipFile java class
to zip some files from the server.

There's a great share (my copy)
that gets you most the way there. I'd suggest starting there. You may
need to configure some properties like what file extensions you'll allow but
its easier to do this then to manually create each property. Also it
checks for default accounts and passwords.