Communities

Each SNMP management host and agent belongs to an SNMP community. An SNMP community is a collection of hosts grouped together for administrative purposes. Deciding what computers should belong to the same community is generally, but not always, determined by the physical proximity of the computers. Communities are identified by the names you assign to them.

Community names can be used to authenticate SNMP messages and thus provide a rudimentary security scheme for the SNMP service. Although a host can belong to several communities at the same time, an SNMP agent does not accept requests from a management system in a community that is not on its list of acceptable community names.

There is no relationship between community names and domain names or workgroup names. A community name can be thought of as a password shared by SNMP management consoles and managed computers. It is your responsibility as a system administrator to set hard - to - guess community names when you install the SNMP service.

In the example illustrated in Figure 10.4, there are two communities — Public and Public2. Agent1 can respond to SNMP requests from and can send traps to Manager2 because they are both members of the Public2 community. Agent2, Agent3, and Agent4 can respond to SNMP requests from and can send traps to Manager1 because they are all members of the (default) Public community.

Figure 10.4 Example of SNMP Communities

Community names are managed by configuring the SNMP security properties. For more information about configuring security properties, see Windows 2000 Server Help.

When an SNMP agent receives a message, the community name contained in the packet is verified against the agent's list of acceptable community names. After the name is determined to be acceptable, the request is evaluated against the agent's list of access permissions for that community. The types of permissions that can be granted to a community include the following:

• None
  The SNMP agent does not process the request. When the agent receives an SNMP message from a management system in this community, it discards the request and generates an authentication trap.

• Notify
  This is currently identical to the permission of None.

• Read Only
  The agent does not process SET requests from this community. It processes only GET, GET-NEXT, and GET-BULK requests. The agent discards SET requests from manager systems in this community and generates an authentication trap.

• Read Create
  The SNMP agent processes or creates all requests from this community. It processes SET, GET, GET-NEXT, and GET-BULK requests, including SET requests that require the addition of a new object to a MIB table.

• Read Write
  Currently identical to Read Create.

Community permissions are configured by using the SNMP Security tab of the Microsoft SNMP Properties dialog box.

Community names are transmitted as cleartext , that is, without encryption. Because unencrypted transmissions are vulnerable to attacks by hackers with network analysis software, the use of SNMP community names represents a potential security risk. However, Windows 2000 IP Security can be configured to help protect SNMP messages from these attacks. For more information about configuring for IP security, see "Securing SNMP Messages with IP Security" in this chapter.