Another is that the vast majority of employee-created ServiceNow Knowledge Base articles are secured using what ServiceNow calls User Criteria. This is a security property that denies access by default to KB articles unless a User Criteria is set up that groups users to permit access. This capability was added in March, 2020. However, Costello said, most enterprise ServiceNow instances have been around for far longer, causing them to still retain the previously insecure ‘allow public access by default’ value. This was the case for around 60% of enterprise instances he analyzed. Even if this property is securely configured, he added, merely defining a ‘Can Contribute’ property on a KB will still allow unauthenticated users to read insecure articles within it.
In addition, the out-of-the-box User Criteria can be misleading to the untrained eye, Costello said. While there is an explicit ‘Guest User’ criteria for granting unauthenticated access, many administrators are unaware that other, less-explicitly named criteria also grant access to unauthenticated users.
And more often than not, when a User Criteria is set, it’s only on the allow-lists (‘Can Read’), Costello said. The deny-list (‘Cannot Read’) is ignored as a result. Because of the complicated nature of User Criteria, this can allow external users to slip through the cracks and be granted access.
