WHITE PAPER
12
Security Best Practices Guide v2.4 | June 2024
Release: Washington, DC
Access control
Every user must have an associated unique user account defined within the Now Platform instance, and their identity must be
established before access is granted. The most important methods for controlling access to a customer’s instance are user
authentication to verify identity, and authorization to control access levels and permissions.
Outbound IP access controls are configured using the IP Address Access Control feature in the Now Platform. Additionally,
ServiceNow supports the System for Cross-domain Identity Management (SCIM) protocol, which allows customers to synchronize
user and group data from external identity providers.
Authentication
Account and password control
Now Platform instances come with certain built-in accounts
such as “admin,” “ITIL,” and “employee” which are provisioned
with default passwords unique to the instance. Default
passwords should be changed as soon as possible.
• Customers have full control over the password policies
enforced for access to their instance. For native or local
accounts, customers can specify length, complexity,
expiration, uniqueness, lockout, etc. (this can be set in the
GUI). To maximize security, encourage the adoption of
long passphrases and aim to eliminate the use of simple,
“common” passwords. Customers can of course retain
their existing policies for any external authentication
services they have integrated, such as LDAP, SAML, etc.
• There are some security-related adjustments to the login
page to consider. “Remember Me” is a feature for caching
user login page credentials in a browser. This feature
can present security issues if users access their instance
from an unsecure endpoint, e.g., from a shared computer.
The Instance Hardening Guide recommends disabling
this feature.
• Remove credentials from the Welcome page and
password-less authentication (logging in to the Now
Platform with blank passwords).
• Configuring account lockout after a number of failed
logins within a certain time frame can help guard against
brute force authentication attacks.
• ServiceNow provides further guidance on enhancing
authentication security in the Defending Your Now
Platform instance Against Password Spray Attacks
(requires a Now Support account) knowledge base article.
• Activating the System for Cross-Domain Identity
Management (SCIM) plugin allows customers to easily
provision and manage user identities, group membership
and other properties from sources external to their
instance, using an industry-standard protocol. These
typically include cloud-based services like Active
Directory, Amazon Web Services, Okta and others. The
ServiceNow SCIM features frees customers from having to
create and manage multiple customized SOAP APIs.
Authentication mechanisms
The Now Platform offers a selection of authentication
mechanisms.
Basic or native authentication uses local accounts defined
within the instance, while SAML 2.0, LDAP, OAuth2.0, and
certificate-based authentication enable integration with
external services.
SAML 2.0 is often preferred as an authentication method as
it is very secure and widely used. Most customers will already
have some form of SAML Identity Provider (IdP) such as ADFS,
Ping, or others.
• Multi-provider Single Sign On (SSO) makes it possible
to combine SSO with other authentication methods,
including Open ID Connect (OIDC). OIDC allows users
to authenticate using third-party credentials, such as
credentials from Google, Azure, Okta or others.
• For high-security environments, customers can use
Personal Identity Verification (PIV) card or Common
Access Card (CAC) authentication as an extension of
certificate-based authentication, where certificates are
stored on a smartcard.
• Customers can help prevent unauthorized access to their
instance, unrelated to their organization, by setting an
Inbound IP access restriction. For this access restriction
ServiceNow recommends using Adaptive Auth, typically
only allowing external addresses from the customer’s
gateway or web proxy. Anyone trying to access the
instance from an unauthorized range will be denied. If
using this approach, consider where all users access the
instance from, e.g., remote users. Customers can control
outbound as well as inbound access by IP address.
• Adaptive Authentication allows a combination of criteria
including IP address, role, and group membership to be
used to create granular access control policies. These
can be applied to Web Services/APIs as well as to normal
user access.