SNMP Best practices
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Update settings regularly.
Make sure that you monitor and update the host name settings on an ongoing basis. This will help ensure timely detection of any unauthorized access.
Allow hosts to accept packets only from specific hosts.
When you configure security options, do not click Accept packets from any host.
Configure authentication traps.
Take advantage of SNMP security checking by configuring authentication traps on all SNMP agents.
Verify proper functioning of service-specific components.
If you will be monitoring service-specific components, such as Dynamic Host Configuration Protocol (DHCP) or Windows Internet Name Service (WINS), verify that these services have been successfully installed and configured.
Use IPSec to secure SNMP messages.
Reduce the risk of internal attacks by configuring the SNMP agent systems to reject request messages from unauthorized management systems. For security purposes, use Internet Protocol security (IPSec) to secure SNMP messages by creating filter specifications in the appropriate IP filter list between SNMP management systems and agents.
Remember that SNMP is an insecure protocol.
If you decide to use SNMP to manage networks, remember that SNMP is an insecure protocol whose effectiveness depends solely on how you implement it.