instance-security

Instance Security for ServiceNow

Instance Security covers authentication, authorization, and security hardening.

Security Layers

Network Security ↓ Authentication (SSO, MFA) ↓ Session Management ↓ Authorization (ACLs, Roles) ↓ Data Protection ↓ Audit & Logging

Key Tables

Table Purpose

sys_user

User accounts

sys_user_role

Roles

sys_security_acl

Access controls

sysevent_log

Security events

sys_properties

Security settings

Authentication Security (ES5)

Password Policy Configuration

// Check password strength (ES5 ONLY!) function validatePasswordStrength(password) { var issues = []

// Minimum length var minLength = parseInt(gs.getProperty("glide.security.password.min_length", "8"), 10) if (password.length < minLength) { issues.push("Password must be at least " + minLength + " characters") }

// Complexity requirements if (!/[A-Z]/.test(password)) { issues.push("Password must contain uppercase letter") } if (!/[a-z]/.test(password)) { issues.push("Password must contain lowercase letter") } if (!/[0-9]/.test(password)) { issues.push("Password must contain number") } if (!/[!@#$%^&*(),.?":{}|<>]/.test(password)) { issues.push("Password must contain special character") }

return { valid: issues.length === 0, issues: issues, } }

Session Security

// Check session validity (ES5 ONLY!) function isSessionSecure() { var session = gs.getSession()

// Check session age var maxAge = parseInt(gs.getProperty("glide.security.session.timeout", "60"), 10) var sessionAge = session.getSessionAge() / 60000 // Convert to minutes

if (sessionAge > maxAge) { return { valid: false, reason: "Session expired" } }

// Check for session fixation var clientIP = gs.getSession().getClientIP() var originalIP = session.getValue("original_ip")

if (originalIP && clientIP !== originalIP) { return { valid: false, reason: "IP address changed" } }

return { valid: true } }

// Force re-authentication function requireReauthentication(reason) { gs.getSession().invalidate() gs.addErrorMessage(reason) // Redirect to login response.sendRedirect("/login.do") }

MFA Implementation (ES5)

Check MFA Status

// Check if user has MFA enabled (ES5 ONLY!) function hasMFAEnabled(userSysId) { var user = new GlideRecord("sys_user") if (!user.get(userSysId)) { return false }

// Check MFA settings var mfa = new GlideRecord("sys_user_mfa") mfa.addQuery("user", userSysId) mfa.addQuery("active", true) mfa.query()

return mfa.hasNext() }

// Enforce MFA for sensitive operations function requireMFA(operation) { var userId = gs.getUserID()

if (!hasMFAEnabled(userId)) { gs.addErrorMessage("MFA required for " + operation) return false }

// Check if MFA verified this session var session = gs.getSession() var mfaVerified = session.getValue("mfa_verified")

if (mfaVerified !== "true") { // Trigger MFA challenge gs.eventQueue("user.mfa.challenge", null, userId, operation) return false }

return true }

Input Validation (ES5)

XSS Prevention

// Sanitize user input (ES5 ONLY!) function sanitizeInput(input) { if (!input) return ""

// Encode HTML entities var sanitized = input .toString() .replace(/&/g, "&") .replace(/</g, "<") .replace(/>/g, ">") .replace(/"/g, """) .replace(/'/g, "'")

return sanitized }

// Validate and sanitize before storage function validateUserInput(tableName, fieldName, value) { // Check field type var dict = new GlideRecord("sys_dictionary") dict.addQuery("name", tableName) dict.addQuery("element", fieldName) dict.query()

if (!dict.next()) { return { valid: false, error: "Field not found" } }

var fieldType = dict.getValue("internal_type")

// Validate based on type if (fieldType === "string" || fieldType === "html") { // Check for script injection if (/<script/i.test(value)) { return { valid: false, error: "Script tags not allowed" } } // Check for event handlers if (/on\w+\s*=/i.test(value)) { return { valid: false, error: "Event handlers not allowed" } } }

return { valid: true, sanitized: sanitizeInput(value) } }

SQL Injection Prevention

// Safe query building (ES5 ONLY!) // NEVER concatenate user input directly into queries

// BAD - Vulnerable to injection // gr.addEncodedQuery('name=' + userInput);

// GOOD - Use parameterized queries function safeQuery(tableName, fieldName, value) { var gr = new GlideRecord(tableName)

// GlideRecord methods handle escaping gr.addQuery(fieldName, value) gr.query()

return gr }

// For encoded queries, validate input function safeEncodedQuery(tableName, userQuery) { // Whitelist allowed fields var allowedFields = ["number", "short_description", "state", "priority"]

// Parse and validate query var parts = userQuery.split("^") var safeQuery = []

for (var i = 0; i < parts.length; i++) { var part = parts[i] var match = part.match(/^(\w+)(=|!=|LIKE|CONTAINS)(.+)$/)

if (match) {
  var field = match[1]
  if (allowedFields.indexOf(field) !== -1) {
    safeQuery.push(part)
  }
}

}

var gr = new GlideRecord(tableName) if (safeQuery.length > 0) { gr.addEncodedQuery(safeQuery.join("^")) } gr.query()

return gr }

Security Properties (ES5)

Key Security Settings

// Get security-related properties (ES5 ONLY!) function getSecuritySettings() { return { // Session settings session_timeout: gs.getProperty("glide.security.session.timeout"), session_cookie_secure: gs.getProperty("glide.security.session.cookie.secure"),

// Password settings
password_min_length: gs.getProperty("glide.security.password.min_length"),
password_history: gs.getProperty("glide.security.password.history"),
password_expiry: gs.getProperty("glide.security.password.expiry"),

// Login settings
max_failed_logins: gs.getProperty("glide.security.password.max_failed_logins"),
lockout_duration: gs.getProperty("glide.security.password.lockout_duration"),

// General security
csrf_protection: gs.getProperty("glide.security.csrf.strict_validation"),
xss_protection: gs.getProperty("glide.security.xss.strict"),

} }

// Update security property function setSecurityProperty(name, value, requireRestart) { gs.setProperty(name, value)

if (requireRestart) { gs.warn("Security property changed: " + name + ". Restart may be required.") }

// Log security change gs.eventQueue("security.property.changed", null, name, value) }

Security Auditing (ES5)

Log Security Events

// Log security event (ES5 ONLY!) function logSecurityEvent(eventType, details) { var log = new GlideRecord("syslog") log.initialize()

log.setValue("level", "warning") log.setValue("source", "Security") log.setValue("message", eventType + ": " + JSON.stringify(details))

log.insert()

// Also queue for security monitoring gs.eventQueue("security.event", null, eventType, JSON.stringify(details)) }

// Track failed login attempts function trackFailedLogin(username, ipAddress) { logSecurityEvent("failed_login", { username: username, ip: ipAddress, timestamp: new GlideDateTime().getDisplayValue(), })

// Check for brute force var recentFailures = countRecentFailures(username, 5) // Last 5 minutes var maxFailures = parseInt(gs.getProperty("glide.security.password.max_failed_logins", "5"), 10)

if (recentFailures >= maxFailures) { lockAccount(username) logSecurityEvent("account_locked", { username: username, reason: "Too many failed login attempts", failures: recentFailures, }) } }

Security Health Check

// Check instance security health (ES5 ONLY!) function securityHealthCheck() { var issues = []

// Check for default admin password var admin = new GlideRecord("sys_user") if (admin.get("user_name", "admin")) { if (admin.getValue("password") === gs.getProperty("glide.security.default.admin.password")) { issues.push({ severity: "critical", issue: "Default admin password not changed" }) } }

// Check session timeout var timeout = parseInt(gs.getProperty("glide.security.session.timeout", "0"), 10) if (timeout === 0 || timeout > 60) { issues.push({ severity: "high", issue: "Session timeout too long or disabled" }) }

// Check password policy var minLength = parseInt(gs.getProperty("glide.security.password.min_length", "0"), 10) if (minLength < 12) { issues.push({ severity: "medium", issue: "Password minimum length less than 12" }) }

// Check HTTPS enforcement if (gs.getProperty("glide.security.session.cookie.secure") !== "true") { issues.push({ severity: "high", issue: "Secure cookies not enforced" }) }

return { healthy: issues.length === 0, issues: issues, } }

MCP Tool Integration

Available Tools

Tool Purpose

snow_property_get

Check security properties

snow_execute_script_with_output

Test security scripts

snow_review_access_control

Review ACLs

Example Workflow

// 1. Check security properties await snow_property_get({ name: "glide.security.session.timeout", })

// 2. Run security health check await snow_execute_script_with_output({ script: var health = securityHealthCheck(); gs.info(JSON.stringify(health)); , })

// 3. Review access controls await snow_query_table({ table: "sys_security_acl", query: "active=true^admin_overrides=true", fields: "name,operation,type,script", })

Best Practices

Strong Passwords - Enforce complexity
MFA - Enable for privileged users
Session Timeout - 15-30 minutes
Input Validation - Sanitize everything
Least Privilege - Minimal roles
Audit Logging - Log security events
Regular Reviews - Security assessments
ES5 Only - No modern JavaScript syntax

instance-security

Safety Notice

Copy this and send it to your AI assistant to learn

Source Transparency

Related Skills

acl-security

predictive-intelligence

scheduled-jobs

document-management