Microsoft KB Archive/324261

= How to configure Network Security for the SNMP Service in Windows Server 2003 =

Article ID: 324261

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Small Business Server 2003 Standard Edition
 * Microsoft Windows Small Business Server 2003 Premium Edition

-



This article was previously published under Q324261



This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about how to obtain support for a Beta release, see the documentation that is included with the Beta product files, or check the Web location from which you downloaded the release.

IN THIS TASK
SUMMARY
 * Create a Filter List
 * Create an IPSec Policy

REFERENCES



SUMMARY
This step-by-step article describes how to configure network security for the Simple Network Management Protocol (SNMP) service in Windows Server 2003.

The SNMP service acts as an agent that collects information that can be reported to SNMP management stations or consoles. You can use the SNMP service to collect data and manage Windows Server 2003, Microsoft Windows XP, and Microsoft Windows 2000-based computers throughout a corporate network.

Communications between SNMP agents and SNMP management stations is typically secured by assigning a shared community name to the agents and management stations. When an SNMP management station sends a query to the SNMP service, the community name of the requestor is compared to the community name of the agent. If they match, the SNMP management station has been authenticated. If they do not match, the SNMP agent considers the request a &quot;failed access&quot; attempt, and may send an SNMP trap message.

The SNMP messages are sent in clear text. These clear text messages are easily intercepted and decoded by network analyzers, such as Microsoft Network Monitor. Community names can be captured and used by unauthorized personnel to gain valuable information about network resources.

IP Security Protocol (IPSec) can be used to protect SNMP communications. You can create IPSec policies to secure communications on TCP and UDP ports 161 and 162 to secure SNMP transactions.

back to the top

Create a Filter List
To create an IPSec policy to secure SNMP messages, first create the filter list. To do this, follow these steps:
 * 1) Click Start, point to Administrative Tools, and then click Local Security Policy.
 * 2) Expand Security Settings, right-click IP Security Policies on Local Computer, and then click Manage IP filter lists and filter actions.
 * 3) Click the Manage IP Filter Lists tab, and then click Add.
 * 4) In the IP Filter List dialog box, type SNMP Messages (161/162) in the Name box, and then type Filter for TCP and UDP ports 161 in the Description box.
 * 5) Click to clear the Use Add Wizard check box, and then click Add.
 * 6) In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addresses check box.
 * 7) Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol port box, click From this port, and then type 161 in the box. Click To this port, and then type 161 in the box.
 * 8) Click OK.
 * 9) In the IP Filter List dialog box, click Add.
 * 10) In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match pockets with the exact opposite source and destination addresses check box.
 * 11) Click the Protocol tab. In the Select a protocol type box, click TCP. In the Set the IP protocol box, click From this port, and then type 161 in the box. Click To this port, and then type 161 in the box.
 * 12) Click OK.
 * 13) In the IP Filter List dialog box, click Add.
 * 14) In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addressess check box.
 * 15) Click the Protocol tab. In the Select a protocol type box, click UDP. In the Set the IP protocol box, click From this port, and then type 162 in the box. Click To this port, and then type 162 in the box.
 * 16) Click OK.
 * 17) In the IP Filter List dialog box, click Add.
 * 18) In the Source address box on the Addresses tab of the IP Filter Properties dialog box that appears, click Any IP address. In the Destination address box, click My IP Address. Click to select the Mirrored. Match packets with the exact opposite source and destination addressess check box.
 * 19) Click the Protocol tab. In the Select a protocol type box, click TCP. In the Set the IP protocol box, click From this port, and then type 162 in the box. Click To this port, and then type 162 in the box.
 * 20) Click OK.
 * 21) Click OK in the IP Filter List dialog box, and then click OK in the Manage IP filters lists and filter actions dialog box.

back to the top

Create an IPSec Policy
To create the IPSec Policy to force IPSec for SNMP communications, follow these steps:
 * 1) Right-click the IP Security Policies on Local Computer in the left pane, and then click Create IP Security Policy.

The IP Security Policy Wizard starts.
 * 1) Click Next.
 * 2) On the IP Security Policy Name page, type Secure SNMP in the Name box. In the Description box, type Force IPSec for SNMP Communications, and then click Next.
 * 3) Click to clear the Activate the default response rule check box, and then click Next.
 * 4) On the Completing the IP Security Policy Wizard page, verify that the Edit properties check box is selected, and then click Finish.
 * 5) In the Secure SNMP Properties dialog box, click to clear the Use Add Wizard check box, and then click Add.
 * 6) Click the IP Filter List tab, and then click SNMP Messages (161/162).
 * 7) Click the Filter Action tab, and then click Require Security.
 * 8) Click the Authentication Methods tab. Kerberos is the default authentication method. If you require alternate authentication methods, click Add. In the New Authentication Method Properties dialog box, select the authentication method that you want from the following list, and then click OK:
 * 9) * Active Directory default (Kerberos V5 protocol)
 * 10) * Use a certificate from the certification authority (CA)
 * 11) * Use this string (preshared key)
 * 12) In the New Rule Properties dialog box, click Apply, and then click OK.
 * 13) In the SNMP Properties dialog box, verify that the SNMP Messages (161/162) check box is selected, and then click OK.
 * 14) In the right pane of the Local Security Settings console, right-click the Secure SNMP rule, and then click Assign.

Complete this procedure on all Windows-based computers that are running the SNMP service. This IPSec Policy must also be configured on the SNMP management station.

back to the top

