JSI Tip 4741. How do I configure network security for the Simple Network Protocol Service (SNMP)?

NOTE: The text in the following Microsoft Knowledge Base article is provided so that the site search can find this page. Please click the Knowledge Base link to insure that you are reading the most current information.

Microsoft Knowledge Base article Q313381 contains:

IN THIS TASK


SUMMARY

This step-by-step article describes how to configure network security for the Simple Network Protocol Service (SNMP).

The Windows 2000 SNMP acts as an agent that collects information that can be reported to SNMP management stations or consoles. You can use the SNMP service to collect data and manage Windows 2000-based computers throughout a corporate network.

Communications between SNMP agents and SNMP management stations is typically secured by assigning a shared community name to the agents and management stations. When an SNMP management station sends a query to the SNMP service, the community name of the requestor is compared to the community name of the agent. If they match, the SNMP management station has been authenticated. If they do not match, the SNMP agent considers the request a failed access attempt, and may send an SNMP trap message.

The SNMP messages are sent in clear text. These clear text messages are easily intercepted and decoded by network analyzers such as the Microsoft Network Monitor. Community names can be captured and used by unauthorized personnel to gain valuable information about network resources.

IPSec and be used to protect SNMP communications. You can create IPSec policies to secure communications on TCP and UDP ports 161 and 162 to secure SNMP transactions.

back to the top

Create a Filter List

To create an IPSec policy to secure SNMP messages, first perform the following steps to create the filter list:
  1. Click Start , point to Programs , point to Administrative Tools , and then click Local Security Policy .


  2. Expand the Security Settings node in the left pane, right-click IP Security Policies , and then click Manage IP filter lists and filter actions .


  3. Click the Manage IP Filter Lists tab, and then click Add .


  4. In the IP Filter List dialog box, type SNMP Messages (161/162) in the Name box. In the Description box, type Filter for TCP and UDP ports 161 .


  5. Click to clear the Use Add Wizard check box, and then click Add .


  6. In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.


  7. Click the Protocol tab. In the Select a protocol type box, click UDP . In the Set the IP protocol box, click the From this port option, and then type 161 in the box. Click the To this port option, and then type 161 in the box. Click OK .


  8. In the IP Filter List dialog box, click the Add button.


  9. In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.


  10. Click the Protocol tab. In the Select a protocol type box, click TCP . In the Set the IP protocol box, click the From this port option, and then type 161 in the text box. Click the To this port option, and then type 161 in the box. Click OK .


  11. In the IP Filter List dialog box, click the Add button.


  12. In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.


  13. Click the Protocol tab. In the Select a protocol type box, click UDP . In the Set the IP protocol box, click the From this port option, and then type 162 in the box. Click the To this port option, and then type 162 in the box. Click OK .


  14. In the IP Filter List dialog box, click the Add button.


  15. In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.


  16. Click the Protocol tab. In the Select a protocol type box, click TCP . In the Set the IP protocol box, click the From this port option, and then type 162 in the box. Click the To this port option, and then type 162 in the box. Click OK .


  17. In the IP Filter List dialog box, click Close .


  18. In the Manage IP filters box and the Filter Actions dialog box, click Close .


back to the top

Create an IPSec Policy

To create the IPSec Policy to force IPSec for SNMP communications:
  1. Right-click the IP Security Policies node in the left pane, and then click Create IP Security Policy .


  2. On the Welcome to the IP Security Policy Wizard page, click Next .


  3. On the IP Security Policy Name page, type Secure SNMP in the Name box. In the Description box, type Force IPSec for SNMP Communications , and then click Next .


  4. Click to clear the Activate the default response rule check box, and then click Next .


  5. On the Completing the IP Security Policy Wizard page, leave the checkmark in the Edit properties check box, and then click Finish .


  6. In the Secure SNMP Properties dialog box, click to clear the Use Add Wizard check box, and then click the Add button.


  7. In the New Rule Properties dialog box, click the IP Filter List tab, and then click SNMP Messages (161/162) .


  8. Click the Filter Action tab, and then click Require Security .


  9. Click the Authentication Methods tab. Kerberos is the default authentication method. If you require alternate authentication methods, click the Add button. In the New Authentication Method Properties dialog box, you can choose Windows 2000 default (Kerberos V5 protocol) , User a certificate from the certificate authority (CA) or Use this string to protect the key exchange (preshared key) . Click OK after making your selection.


  10. In the New Rule Properties dialog box, click Apply and then click OK .


  11. On the SNMP Properties dialog box there should be a checkmark in the SNMP Messages (161/162) check box. Click Close .


  12. In the right pane of the Local Security Settings dialog box, right-click the Secure SNMP rule, and then click Assign .


Complete this procedure on all Windows 2000-based computers that are running the SNMP service. The SNMP Management station must also have this IPSec Policy configured.

back to the top
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish