Microsoft KB Archive/313381

= HOW TO: Configure Network Security for the SNMP Service in Windows 2000 =

PSS ID Number: 313381

Article Last Modified on 11/5/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server

-



This article was previously published under Q313381



IN THIS TASK

 * SUMMARY
 * ** Create a Filter List
 * Create an IPSec Policy



SUMMARY
This step-by-step article describes how to configure network security for the Simple Network Protocol Service (SNMP).

The Windows 2000 SNMP acts as an agent that collects information that can be reported to SNMP management stations or consoles. You can use the SNMP service to collect data and manage Windows 2000-based computers throughout a corporate network.

Communications between SNMP agents and SNMP management stations is typically secured by assigning a shared community name to the agents and management stations. When an SNMP management station sends a query to the SNMP service, the community name of the requestor is compared to the community name of the agent. If they match, the SNMP management station has been authenticated. If they do not match, the SNMP agent considers the request a failed access attempt, and may send an SNMP trap message.

The SNMP messages are sent in clear text. These clear text messages are easily intercepted and decoded by network analyzers such as the Microsoft Network Monitor. Community names can be captured and used by unauthorized personnel to gain valuable information about network resources.

IPSec and be used to protect SNMP communications. You can create IPSec policies to secure communications on TCP and UDP ports 161 and 162 to secure SNMP transactions.

back to the top

Create a Filter List
To create an IPSec policy to secure SNMP messages, first perform the following steps to create the filter list:
 * 1) Click Start, point to Programs, point to Administrative Tools, and then click Local Security Policy.
 * 2) Expand the Security Settings node in the left pane, right-click IP Security Policies, and then click Manage IP filter lists and filter actions.
 * 3) Click the Manage IP Filter Lists tab, and then click Add.
 * 4) In the IP Filter List dialog box, type SNMP Messages (161/162) in the Name box. In the Description box, type Filter for TCP and UDP ports 161.
 * 5) Click to clear the Use Add Wizard check box, and then click Add.
 * 6) In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.
 * 7) Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol box, click the From this port option, and then type 161 in the box. Click the To this port option, and then type 161 in the box. Click OK.
 * 8) In the IP Filter List dialog box, click the Add button.
 * 9) In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.
 * 10) Click the Protocol tab. In the Select a protocol type box, click TCP. In the Set the IP protocol box, click the From this port option, and then type 161 in the text box. Click the To this port option, and then type 161 in the box. Click OK.
 * 11) In the IP Filter List dialog box, click the Add button.
 * 12) In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.
 * 13) Configure the clients that will send traps to the server that receives the traps in a mirror fashion. In place of my address in the filter definitions, use any address . For Source, use my address . For destination, use Any IP Address.

However, the source port at the client may not match the filters as defined here. When the client sends a trap to the server, it may use an ephemeral port. If a Netmon trace shows that an ephemeral port is being used and the traffic is not encrypted, you may have to apply any port to the source port at the server end of the connection for all of the definitions.
 * 1) Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol box, click the From this port option, and then type 162 in the box. Click the To this port option, and then type 162 in the box. Click OK.
 * 2) In the IP Filter List dialog box, click the Add button.
 * 3) In the Source address box, click the Any IP address option. In the Destination address box, click the My IP Address option. Click to select the Mirrored check box.
 * 4) Click the Protocol tab. In the Select a protocol type box, click TCP. In the Set the IP protocol box, click the From this port option, and then type 162 in the box. Click the To this port option, and then type 162 in the box. Click OK.
 * 5) In the IP Filter List dialog box, click Close.
 * 6) In the Manage IP filters box and the Filter Actions dialog box, click Close.

back to the top

Create an IPSec Policy
To create the IPSec Policy to force IPSec for SNMP communications:
 * 1) Right-click the IP Security Policies node in the left pane, and then click Create IP Security Policy.
 * 2) On the Welcome to the IP Security Policy Wizard page, click Next.
 * 3) On the IP Security Policy Name page, type Secure SNMP in the Name box. In the Description box, type Force IPSec for SNMP Communications, and then click Next.
 * 4) Click to clear the Activate the default response rule check box, and then click Next.
 * 5) On the Completing the IP Security Policy Wizard page, leave the checkmark in the Edit properties check box, and then click Finish.
 * 6) In the Secure SNMP Properties dialog box, click to clear the Use Add Wizard check box, and then click the Add button.
 * 7) In the New Rule Properties dialog box, click the IP Filter List tab, and then click SNMP Messages (161/162).
 * 8) Click the Filter Action tab, and then click Require Security.
 * 9) Click the Authentication Methods tab. Kerberos is the default authentication method. If you require alternate authentication methods, click the Add button. In the New Authentication Method Properties dialog box, you can choose Windows 2000 default (Kerberos V5 protocol), User a certificate from the certificate authority (CA) or Use this string to protect the key exchange (preshared key). Click OK after making your selection.
 * 10) In the New Rule Properties dialog box, click Apply and then click OK.
 * 11) On the SNMP Properties dialog box there should be a checkmark in the SNMP Messages (161/162) check box. Click Close.
 * 12) In the right pane of the Local Security Settings dialog box, right-click the Secure SNMP rule, and then click Assign.

Complete this procedure on all Windows 2000-based computers that are running the SNMP service. The SNMP Management station must also have this IPSec Policy configured.

back to the top

Keywords: kbenv kbhowto kbHOWTOmaster KB313381

Technology: kbwin2000Search kbwin2000Serv kbwin2000ServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.