How to configure Network Security for the SNMP Service in Windows Server 2003

This step-by-step article describes how to configure network security for the Simple Network Management Protocol (SNMP) service in Windows Server 2003.

The SNMP service acts as an agent that collects information that can be reported to SNMP management stations or consoles. You can use the SNMP service to collect data and manage Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000-based computers throughout a corporate network.

Communications between SNMP agents and SNMP management stations is typically secured by assigning a shared community name to the agents and management stations. When an SNMP management station sends a query to the SNMP service, the community name of the requestor is compared to the community name of the agent. If they match, the SNMP management station has been authenticated. If they do not match, the SNMP agent considers the request a "failed access" attempt, and may send an SNMP trap message.

The SNMP messages are sent in clear text. These clear text messages are easily intercepted and decoded by network analyzers, such as Microsoft Network Monitor. Community names can be captured and used by unauthorized personnel to gain valuable information about network resources.

IP Security Protocol (IPSec) can be used to protect SNMP communications. You can create IPSec policies to secure communications on UDP ports 161 and 162 to secure SNMP transactions.

Create a filter list

To create an IPSec policy to secure SNMP messages, first create the filter list. To do this, follow these steps:

1. Click Start, point to Administrative Tools, and then click Local Security Policy.
2. Expand Security Settings, right-click IP Security Policies on Local Computer, and then click Manage IP filter lists and filter actions.
3. Click the Manage IP Filter Lists tab, and then click Add.
4. In the IP Filter List dialog box, type SNMP Messages (161/162) in the Name box, and then type Filter for UDP port 161 in the Description box.
5. Click to clear the Use Add Wizard check box, and then click Add.
6. In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addresses check box.
7. Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol port box, click From this port, and then type 161 in the box. Click To this port, and then type 161 in the box, and then click OK.
8. In the IP Filter List dialog box, click Add.
9. In the Source address box on the Addresses tab of the IP Filter Properties dialog box, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match pockets with the exact opposite source and destination addresses check box.
10. Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol box, click From this port, and then type 162 in the box. Click To this port, and then type 162 in the box, and then click OK.
11. In the IP Filter List dialog box, click Add.
12. In the Source address box on the Addresses tab of the IP Filter Properties dialog box, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addressess check box, and then click OK.
13. Click OK in the IP Filter List dialog box, and then click OK in the Manage IP filters lists and filter actions dialog box.

Create an IPSec policy

To create the IPSec Policy to force IPSec for SNMP communications, follow these steps:

1. Right-click the IP Security Policies on Local Computer in the left pane, and then click Create IP Security Policy.
   
   The IP Security Policy Wizard starts.
2. Click Next.
3. On the IP Security Policy Name page, type Secure SNMP in the Name box. In the Description box, type Force IPSec for SNMP Communications, and then click Next.
4. Click to clear the Activate the default response rule check box, and then click Next.
5. On the Completing the IP Security Policy Wizard page, verify that the Edit properties check box is selected, and then click Finish.
6. In the Secure SNMP Properties dialog box, click to clear the Use Add Wizard check box, and then click Add.
7. Click the IP Filter List tab, and then click SNMP Messages (161/162).
8. Click the Filter Action tab, and then click Require Security.
9. Click the Authentication Methods tab. Kerberos is the default authentication method. If you require alternate authentication methods, click Add. In the New Authentication Method Properties dialog box, select the authentication method that you want from the following list, and then click OK:
   • Active Directory default (Kerberos V5 protocol)
   • Use a certificate from the certification authority (CA)
   • Use this string (preshared key)
10. In the New Rule Properties dialog box, click Apply, and then click OK.
11. In the SNMP Properties dialog box, verify that the SNMP Messages (161/162) check box is selected, and then click OK.
12. In the right pane of the Local Security Settings console, right-click the Secure SNMP rule, and then click Assign.

Complete this procedure on all Windows-based computers that are running the SNMP service. This IPSec Policy must also be configured on the SNMP management station.

For more information, click the following article number to view the article in the Microsoft Knowledge Base: