What is the importance of locking out users?
User account lockout is a prevalent practice not only within ServiceNow but across various platforms. It is commonly employed along with multi-factor authentication and security questions to safeguard accounts.
For enhanced security, ServiceNow offers a System Property named password_reset.request.max_attempt_window to regulate the duration in minutes a user will be locked out of the instance after submitting the maximum number of unsuccessful authentication attempts.
Why is this an issue?
Setting a high threshold for user locked out, along with maximum password attempts on your instance can expose you to specific security threats, such as:
-
Brute Force Attacks: Brute force attacks involve the systematic trial of multiple passwords until the right one is found. By establishing a limit for unsuccessful attempts, these attacks can be mitigated, making unauthorized access more difficult.
-
Credential Exposure: During credential stuffing attacks, attackers use usernames and passwords from one service to illicitly access other accounts where the same credentials have been used by the users.
This is particularly crucial in ServiceNow, especially when managing clients across multiple companies, as the risk of unauthorized access and potential information leakage is a concern.
How do I fix it?
-
In the Filter Navigator, type and enter sys_properties.list.
-
Search for
password_reset.request.max_attempt_window. -
Set Value tab to more than 1439.