Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can assign groups of hosts to Simple Network Management Protocol (SNMP) communities for limited security checking of agents and management systems or for administrative purposes. Communities are identified by community names that you assign. A host can belong to multiple communities at the same time, but an agent does not accept a request from a management system outside its list of acceptable community names.
For more information, see SNMP Best practices.
Define communities logically to take advantage of the basic authentication service provided by SNMP. In the following example, there are two communities: Public 1 and Public 2.
Agent 1 can send traps to Manager 2 and respond to requests from Manager 2 because they are both members of the Public 2 community.
Agents 2-4 can send traps to Manager 1 and respond to requests from Manager 1 because they are all members, by default, of the Public 1 community.
Community names are sent across the network as plaintext. Because attackers can read plaintext with network analysis software, sending SNMP community names across the network represents a potential security risk. You can help protect SNMP messages by configuring Internet Protocol security (IPSec). For more information about configuring SNMP for IPSec, see Securing SNMP messages with IPSec.
There is no relationship between community names and domain or workgroup names. Community names represent a shared password for groups of network hosts, and should be selected and changed as you would change any password.
Use community names primarily as an element for organization, not security.
You should not create a community that is named Public and grant it read access. You should also specify hosts from which packets can be accepted, rather than clicking Accept packets from any host.