\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!\]
My organization's IT department is deploying a unified systems management solution that will support SNMP. Security administrators want to include authentication in the SNMP manager-to-agent communications. Which SNMP security features does the Windows NT 4.0 implementation of SNMP support? Does NT 4.0 support any of SNMP 3.0's new advanced security features?
The NT 4.0 SNMP service supports only SNMP 2.0 (defined in Internet Engineering Task Force—IEEF—Request for Comments—RFCs—1901, 1905, and 1906) and SNMP 1.0 (defined in RFC 1157) security features. The service doesn't support any of the advanced security features that SNMP 3.0 (defined in RFCs 2273 through 2275) offers. SNMP 3.0 can provide advanced authentication based on either the Message Digest 5 (MD5) or the Secure Hash Algorithm (SHA) hash functions. SNMP 3.0 also can provide encryption—based on the Data Encryption Standard (DES) symmetric cipher—of the SNMP messages exchanged between a manager and an agent.
SNMP 2.0's and SNMP 1.0's manager-to-agent authentication depends on community strings, which work much like simple passwords. NT 4.0 includes only SNMP agent software. The Microsoft Windows NT Server 4.0 Resource Kit offers a limited SNMP manager—the SNMP monitor (snmpmon.exe). This SNMP manager is limited in part because it supports only one preconfigured community string named public. (You can find a list of advanced SNMP manager software products, such as Hewlett-Packard's HP OpenView, at http://www.snmpworld.com.) For security purposes, you should remove the public community string and add community strings to which you give less obvious names. Alternatively, you might also disable the public community string by giving it a security level of NONE.
To set up additional NT 4.0 SNMP agent community strings, open the Microsoft SNMP Service's Properties dialog box and select the Security tab, which Figure 1 shows. (You can access the SNMP service from the Services tab in a machine's network configuration.) To choose community-string names, apply the usual rules for passwords (e.g., 10-character minimum length, combined alphabetic and numeric characters.) Figure 1 shows an example of such a community string: nmkl4lhgf8k1.
NT 4.0 Service Pack 4 (SP4) and later includes an SNMP agent that supports a new community-string-related security feature: security levels. Security levels let you specify an access level (i.e., security level) for each community string. The Microsoft article "SNMP Security Extended by Service Pack 4" (http://support.microsoft.com/default.aspx?scid=kb;en-us;q200890) offers an overview of available security levels. To change a community string's security level, select the community string's name and click Edit, then edit the choices in the Rights column.
Community strings are stored in the clear (i.e., in plain text) in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SNMP\Parameters\ValidCommunities registry subkey. You should change the community strings regularly. Because the community string is a secret that the SNMP agent and manager share, remember to change the string on both the SNMP agent and the SNMP manager.
Three additional security-related settings you might want to select are Send Authentication Trap, Accept SNMP Packets from These Hosts, and Trap Destinations. Selecting the Send Authentication Trap check box ensures that the SNMP agent sends a notification message to the SNMP manager when the agent detects community authentication failures, which could indicate a break-in attempt. You should use the Accept SNMP Packets from These Hosts option to limit the hosts from which SNMP packets are accepted. (Figure 1 shows the hosts limited to those with IP addresses 16.23.5.9 and 16.23.5.25.) You set both the Send Authentication Trap and Accept SNMP Packets from These Hosts configuration options from the Security tab. You can set Trap Destinations from the Traps tab, which Figure 2 shows. Traps are SNMP warning messages that SNMP agents send to SNMP manager machines. Figure 2 shows that the host will use the community string nmkl4lhgf8k1 to send traps to the SNMP manager with the IP address 16.23.5.96.
