SNMP security properties
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
SNMP security properties
Simple network management protocol (SNMP) provides security through the use of authentication traps and community names. In addition, you can restrict SNMP communications for the agent, allowing it to communicate with only a specified list of SNMP management systems. Because the SNMP protocol provides minimal security, you should use SNMP only on trusted networks.
You can configure certain features of SNMP security on the Security tab in the SNMP Service Properties dialog box. These features provide a minimal level of security to your network, and you should use them in conjunction with other stronger methods of secure network management.
The following options can be configured to enable SNMP security:
Accepted community names. The service has no default community name. By default, SNMP will not respond to any community names presented. You can add, delete, or change multiple community names. If an SNMP request is received from a community that is not on this list, it will generate an authentication trap.
You can define community rights for a community name. A permission level can be selected in the SNMP Service Configuration dialog box, that determines how the SNMP agent processes requests from a selected community. For example, you can configure the permission level to block the SNMP agent from processing any requests from a specific community.
Accept SNMP packets from any host. In this context, no SNMP packets are rejected on the basis of the name or address of the source host or the list of acceptable hosts.
Accept SNMP packets from these hosts. In this context, the list of acceptable hosts means the acceptable SNMP management systems. This option is selected by default with localhost as the only hostname. Only SNMP packets received from localhost are accepted. SNMP messages from all other hosts are rejected and an authentication trap is sent. This option provides a higher level of security than using a community name, which might contain many hosts.
Send authentication trap. Authentication is the process of verifying that a host name or address is valid. When the SNMP agent receives a request that does not contain the correct community name or is not sent from a member of the acceptable host list, the agent sends an authentication trap message to one or more trap destinations (management systems), indicating the failure of authentication. This option is selected by default.
For more information on how to configure SNMP security, see Configure SNMP security properties.
The default Security tab settings are no communities listed under Accepted community names and one host name, localhost, under Accept SNMP packets from these hosts. The term localhost refers to the loopback interface on the local computer. You must add a community name of your choice to Accepted community names. For security reasons, naming a community Public is not recommended. You should monitor and update the settings on an ongoing basis to ensure timely detection of any unauthorized access.