Skip to main content

ServiceNow Health Scan - resultant best practice suggestions (with some references)

 



item ref
ServiceNow recommends that secure platform properties are set according to the Security Hardening guide. Refer to the Security section of the product documentation
"URL Whitelist For Logout Redirects should be setup 1
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/url-whitelist-for-logout-redirects.html
Performance Monitoring ACL should be enabled 1 https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/performance-monitoring-acl.html
Enforce Relative Links should be enabled 1 https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/enforce-relative-links.html
SSLv2/SSLv3 should be disabled 1 https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/disabling-sslv2-sslv3.html
"Enable Blacklist for Attachments 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/enable-blacklist-for-attachments.html
"It is recommended to enable CSRF Strict Validation 1
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/csrf-strict-validation.html
"Allow ServiceNow employees to access the instance only
through secured set of IP ranges
1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/strict-ip-restriction.html
"Escape Excel Formula 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/escape-excel-formula.html
"Certificate Authority (CA) validation 1
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/concept/c_MutualAuthentication.html
"Allow Entity Validation with Whitelisting 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/allow-entity-validation-with-whitelisting.html
"Setting Entity Expansion Threshold 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/setting-entity-expansion-threshold.html
"Disable SQL error messages 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/disabling-sql-error-messages.html
"Disable Embedded HTML Code property 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/allow-embedded-html-code.html
"Specify Blacklisted Extensions 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/specify-blacklisted-extensions.html
"Enable Multi-factor authentication 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/integrate/authentication/concept/c_MultifactorAuthentication.html
"Disable Entity Expansion 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/disable-entity-expansion.html
"Specify Blacklisted File Types 1
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/specify-blacklisted-file-types.html
"Enable Privacy on Client-Callable Script Includes 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/privacy-on-client-callable-script-includes.html
"Obfuscate fields in snapshot saved during background
process on mobile application if instance contains sensitive
information
1
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/mobile-ui-obfuscation.html
"Escape Jelly should be enabled 1
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/escape-jelly.html
"Only allow acceptable file extensions to be uploaded during file attachment 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/restrict-file-extensions.html
"Upload MIME Type Restriction should be enabled 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/upload-mime-type-restriction.html
"XML External Entity Processing - Validation 1
" https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/xml-external-entity-processing-validation.html
"""Allow Javascript tags in Embedded HTML"" property should be disabled 0
" https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/security/reference/allow-javascript-tags-in-embedded-html.html
"Script Request Authorization should be enabled 0
"
"XML External Entity Processing - Whitelist 0
"
"Cookies – HTTP Only should be enabled 0
"
"XML Request Authorization should be enabled 0
"
"Set ""glide.set_x_frame_options"" property to true to avoid
clickjacking attacks.
0
"
"Restrict Emails by Domain 0
"
"RSS Request Authorization should be enabled 0
"
"Restrict Access to Emails with Empty Target Table 0
"
"Excel Request Authorization should be enabled 0
"
"""Remove Remember Me"" setting should be enabled 0
"
"SOAP Request Strict Security should be enabled 0
"
"Absolute Session Timeout 0
"
"Basic Auth SOAP Requests setting should be enabled 0
"
"Enforce Strict User Image Upload 0
"
"Convert Inbound Email HTML 0
"
"Attachments are visible to non-authenticated users. 0
"
"CSV Request Authorization should be enabled 0
"
"Prevent injection of JavaScript code in Jelly pages 0
"
"Session Window Timeout 0
"
"Rotate HTTP Session Identifiers setting should be enabled 0
"
"Escape HTML should be enabled 0
"
"XSD Request Authorization should be enabled 0
"
"Anti-CSRF Token setting should be enabled 0
"
"SOAP Content Type Checking should be enabled 0
"
"Prevent login for users with blank password 0
"
"Enable URL Whitelist for Cross-Origin iframe Communication 0
"
"Enforce a list of Downloadable Mime Types 0
"
"Enable AJAXGlideRecord ACL Checking 0
"
"Secure Session Cookies 0
"
"Basic Auth JSONv2 Requests setting should be enabled 0
"
"HTML Sanitizer property should be enabled 0
"
"Escape Javascript should be enabled 0
"
"Enable AJAXEvaluate should be disabled 0
"
"Double Check Inbound Transactions check should be
enabled
0
"
"Password Field Autocomplete should be disabled 0
"
"Set complex 'default' password 0
"
"Client Generated Scripts Sandbox should be enabled 0
"
"Enable ACLs to control Live Profile Details 0
"
"Packages Call Removal Tool 0
"
"Escape XML should be enabled 0
"
"Import Request Authorization should be enabled 0
"
"PDF Request Authorization should be enabled 0
"
"""Check UI Action Conditions check before Execution"" should
be enabled
0
"
"WSDL Request Authorization should be enabled 0
"
"Session Activity Timeout integer value should be specified 0
"
"ServiceNow recommends that the Security Hardening guide is followed, and
appropriate plugins and settings should be configured. Refer to the Security
1%
section of the product documentation.
"
Enable IP Range Based Authentication 1 https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/login/concept/c_IPRangeBasedAuthentication.html
Managing Failed Login Attempts 1 https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/security/reference/managing-failed-login-attempts.html
The Email Filters plugin should be enabled 0
Change Default Credentials 0
Enforce strong passwords 0
"
Unload Request Authorization should be enabled 0
"
"Security property
glide.ui.strict_customer_uploaded_content_types is not
defined or is blank
0
"
"Check Whitelist member calls 0

"
SAML 2.0 security enhancements 0
"Check Whitelist Package calls 0
"
"Default Credentials Visible on the Welcome page 0
"
Security Jump Start (ACL Rules) 0
What am I doing well?
"The use of the high security plugin and the contextual security manager is
critical to ensuring proper data segregation. It sets a policy of ""default deny"", as
well as giving contextual access rules for finely grained data control."
High security plugin 0
Contextual Security plugin should be enabled 0
"Ensure applications are configured securely to have appropriate data
separation between users. These may be product specific.
"
High Security default mode should be set to "deny" 0
Writing code to be readable and to produce obvious results is important for easy maintenance. Certain techniques can make debugging errors harder, or cause issues in the first place.
Use the condition field in Business Rules 39 https://developer.servicenow.com/dev_app.do#!/document/content/app_store_doc_technical_best_practices_istanbul_use_conditions_in_business_rules
Scripts should not contain hard-coded IDs 35 https://developer.servicenow.com/dev.do#!/guides/quebec/now-platform/tpb-guide/scripting_technical_best_practices
Before Business Rules should not update() or insert() records on other tables 20 https://docs.servicenow.com/bundle/paris-application-development/page/script/business-rules/reference/r_HowBusinessRulesWork.html
Hard coded instance URL 16
JavaScript Mode is not set on ES5 4 https://docs.servicenow.com/bundle/paris-application-development/page/script/JavaScript-engine-upgrade/concept/c_JS_modes.html
Scripts should not use the eval() method 3 https://developer.servicenow.com/dev.do#!/guides/orlando/now-platform/tpb-guide/scripting_technical_best_practices
Script Includes with duplicate names 1
Scripts should not use gs.sql 0
Business Rules should not be defined on the Global table (Global Business Rule) 0
Transform Script that run onBefore should not update() or insert() records on another table 0
Client Scripts should not be defined against the Global table 0
Business Rules should not use the SOAP getResponse() method 0
New globally-scoped client-side scripts don't run in strict mode and DOM access enabled.0
ServiceNow provides robust capabilities to make the system your own. However, custom functionality requires maintenance. Having large numbers of custom scripts, workflows and other items can increase upgrade times due to the testing required whilst increasing maintenance costs. ServiceNow baseline functionality may be able to replace custom functionality.
Number of changes in last 30 days 46820
Lines of custom code 25282
Number of Workflows 154
Number of in progress update sets 2
Complex Workflows, with many steps 2
Many ServiceNow applications rely upon the population of data items to facilitate the processes. Ensuring that the data is appropriately set will mean the applications are more easily managed and used. For example, naming of objects should be consistent and correct, and fields should be populated with the appropriate data.
List Report without any columns selected 15
Groups with no users 8
Update Sets should be named uniquely 6
Populate Knowledge Base articles fully 6
Duplicate foundation/core data found. 3
Every Knowledge Base should have at least one Category
defined. 2
Catalog Items should have at least a Name and a Short
description 2
Report assigned to a user which is not active 1
Minimise the number of errors per day 0
Following the best practices for platform and applications will help to keep the system easy to maintain. For example, errors should be dealt with promptly, user access reviewed, and outdated scripts removed. Otherwise, this results in routine activities taking longer than necessary.
Use Notification Categories 55
Applications should use Source Control 8 https://docs.servicenow.com/bundle/paris-application-development/page/build/applications/concept/c_SourceControlIntegration.html
Workflow(s) should not be checked out for an extended time 0
Excessive logging and use of debug properties can hurt performance. The system will spend time writing and evaluating debug information rather than responding to the user. Minimize the use of debugging in production.
Minimize logging in production 56
Client-side code should not contain the console.log() debugging method 2 https://developer.servicenow.com/dev.do#!/guides/orlando/now-platform/tpb-guide/debugging_best_practices
Debug properties should be disabled in production 1
Not following process best practices will mean standard maintenance tasks take longer. Records that are no longer used obfuscate the current, in use reports and tasks.
Reports not run for 3 months 3049
Lots of active tasks more than a month old 15
Use state, not Incident State or Problem State 2 https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/field-administration/concept/c_BPForStateFieldChoiceValues.html
Reporting enables users to extract data from the ServiceNow instance. This needs to be done securely, to ensure data is not shared inappropriately. For example, there are 362 reports that are available without a login.
Reports should typically not be made public 362
Report shared with a group which has no users 11
Report assigned to a non-existent group/user 0
Restrict reporting on non domain separated tables to limit cross contamination 0
Ensure applications are configured securely to have appropriate data separation between users. These may be product specific.
Number of users with the admin role 4
Enable and use Application Administration in scoped applications 4 https://docs.servicenow.com/bundle/quebec-application-development/page/build/applications/concept/application-administration.html
glide.import.error_message.generic is not enabled. 1 https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/reference-pages/reference/r_AvailableSystemProperties.html
Java Package Collection mode and Collection mode override properties should be disabled 0
Applications or modules are not protected by roles 0
AJAXGlideRecord ACL Checking should be enabled 0
Scripted REST resource without enabled security 0
Ensure gs.sql can be prevented 0
Review background script access
Custom scripts and other types of configuration are frequently the cause of performance issues. Certain techniques will cause the instance and browser to perform unnecessary work, becoming frustrating for the user. There are frequently alternative mechanisms, but in some cases, the performance impact must be weighed against the functionality gained.
Server-side code should not use GlideRecord.getRowCount() to count records 27 https://developer.servicenow.com/dev.do#!/reference/api/orlando/server_legacy/c_GlideRecordAPI#r_GlideRecord-getRowCount%20
Client Scripts should check for isLoading and return 11 https://developer.servicenow.com/dev.do#!/guides/orlando/now-platform/tpb-guide/client_scripting_technical_best_practices
Client-side code should not use GlideRecord 5 https://developer.servicenow.com/dev.do#!/guides/quebec/now-platform/tpb-guide/scripting_technical_best_practices
Avoid Global UI Scripts 3 https://docs.servicenow.com/bundle/quebec-application-development/page/script/client-scripts/concept/c_UIScripts.html
Read ACLs (Security rules) should not have GlideRecord/GlideAggregate in script 1
Client-side code should not use synchronous AJAX methods 1 https://developer.servicenow.com/dev.do#!/guides/orlando/now-platform/tpb-guide/client_scripting_technical_best_practices
current.update() in script workflow activity 1
GlideRecord in calculated fields 0
ServiceNow provides robust capabilities to make the system your own. However, custom functionality requires maintenance. Having large numbers of custom scripts, workflows and other items can increase upgrade times due to the testing required whilst increasing maintenance costs. ServiceNow baseline functionality may be able to replace custom functionality.
Excessive Client Scripts 4
More than 10 workflows for a table (excluding sc_request) 0
Setting performant defaults and nudging users to using the platform efficiently
will help ensure the system feels fast. For example, encouraging the use of
filters will mean users find the items they are interested in faster, while reducing
reports on home pages (that are frequently not used) will mean system
resources are focused appropriately.
Max page list size 1
Homepages Refresh Interval 0
The default "system" user preference for "rows per page"should be set to 50 or less 0
The "Go To" search should not default to using the "contains" operator The platform self-monitors certain scripts and can identify items that are consuming excessive resources. These items should be minimized.
Long running (slow) scripts 5
Reports with very long execution times 1
Certain products have application specific best practices that will ensure performance is optimized. The following products should be reviewed to ensure they follow performance best practices: Service Portal Designer
Remove unused services from client script. 12
Excessive logging and use of debug properties can hurt performance. The system will spend time writing and evaluating debug information rather than responding to the user. Minimize the use of debugging in production.
Do not query audit log in your custom integrations and code. 2 https://docs.servicenow.com/bundle/paris-platform-administration/page/administer/login/reference/r_AuditLogging.html
System property "glide.businessrule.callstack" should be set to false 0
Imports and integrations frequently cause the instance to process significant amounts of data. Unless this this is done efficiently, the instance can spend excessive resources on these activities, and consequently less on serving interactive user requests. Review your integrations to ensure best practices are being followed.
Index Suggestions for Slow Queries should be reviewed 1 https://docs.servicenow.com/bundle/quebec-platform-administration/page/administer/platform-performance/concept/index-suggestions.html
Table Transform Maps generally do not need "Run business rules" enabled 0 https://docs.servicenow.com/bundle/paris-platform-administration/page/script/server-scripting/task/t_CreateATransformMap.html
JDBC Data Sources should have the "Use last run datetime" option checked 0
LDAP Server definition should limit attributes retrieved 0
Fields used to coalesce in a Table Transform Maps should be indexed 0
How can I improve?
Items that are modified away from the baseline will not be modified on upgrades. In the last upgrade, there were 0 objects not upgraded (skipped) because they were detected as modified. ServiceNow recommends that modified baseline items are reviewed before the upgrade, and scriptable items are most important of those. HealthScan has detected 70 scriptable items that have been modified in the instance.
Differs from baseline: Business Rules 28
Differs from baseline: UI actions 24
Differs from baseline: Script Includes 11
Differs from baseline: Client Scripts (and UI Scripts) 5
Differs from baseline: UI Macros and UI Pages 2
Number of skipped items in last upgrade 0
Modification of State 0
Scripts that use deprecated or inadvisable techniques may not work, or may be inappropriate after an upgrade. HealthScan has detected 13 scripts where the functionality it supported should be tested after an upgrade. Longer term, consider if these scripts should be rewritten or the functionality removed after an upgrade.
Client-side code should not use DOM manipulation technique 7
Scripts should not directly call Java packages 6
Custom HTML modules 0
What am I doing well?
Certain products have application specific best practices that will make upgrades easier. The following products should be reviewed to ensure they follow upgrade best practices: Project Portfolio Management
Ensure standard states are used for demand 1
Domain Paths Feature Not Enabled With Domain Separated Instance 0
Ensure standard states are used for project and project tasks 0
You are running a version of ServiceNow that is currently supported. However, ServiceNow recommends frequently upgrading to the latest version. Each version contains security, performance and functionality improvements. Upgrading frequently reduces the "big bang" risk, and large version jumps require more intervention.
Version nearly out of support 0
Version out of support 0

Comments

Post a Comment

Popular posts from this blog

ServiceNow check for null or nil or empty (or not)

Haven't tested these all recently within global/local scopes, so feel free to have a play! option 1 use an encoded query embedded in the GlideRecord , e.g.  var grProf = new GlideRecord ( 'x_cls_clear_skye_i_profile' ); grProf . addQuery ( 'status=1^ owner=NULL ' ); grProf . query (); even better use the glideRecord  addNotNullQuery or addNullQuery option 2 JSUtil.nil / notNil (this might be the most powerful. See this link ) example: if ( current . operation () == 'insert' && JSUtil . notNil ( current . parent ) && ! current . work_effort . nil ())  option 3 there might be times when you need to get inside the GlideRecord and perform the check there, for example if the code goes down 2 optional routes depending on null / not null can use gs.nil : var grAppr = new GlideRecord ( 'sysapproval_approver' ); var grUser = new GlideRecord ( 'sys_user' ); if ( grUser . get ( 'sys_id' , current . approver )){
Post a Comment
Read more

Get URL Parameter - server side script (portal or classic UI)

Classic UI : var sURL_editparam = gs . action . getGlideURI (). getMap (). get ( ' sysparm_aparameter ' ); if ( sURL_editparam == 'true' ) { gs . addInfoMessage ( 'parameter passed ); } Portal : var sURL_editparam = $sp . getParameter ( " sysparm_aparameter " ); if ( sURL_editparam == 'true' ) { gs . addInfoMessage ( 'parameter passed ); }
20 comments
Read more