Enterprise Server Strategies for the CIO
Be careful with SNMP
Tom Lancaster
The Simple Network Management Protocol is the foundation of a lot of extremely useful tools. In Microsoft's Windows NT and 2000 platforms, SNMP agents are implemented in the form of two services: SNMP Service and SNMP Trap Service. Unfortunately, when many system administrators are installing Windows, they see these services and choose to install them. I say "unfortunately" because they often don't know how to configure SNMP because it has some non-intuitive terminology. And when left in the default configuration, it is an enormous security risk. Note that this tendency isn't unique to Windows admins; in fact, it may be more prevalent on Unix and Linux servers.
Although we certainly don't have the space to cover the details of SNMP, it is important to understand "communities." SNMP uses a string of text called a community string much like a password. SNMP programs will send requests or instructions to SNMP agents (the SNMP services in Windows OS are the agents), and included in the request will be a community string. The agent will compare this community string to its own list of communities and either permit or deny the request.
As an administrator, if you want to install SNMP, it is imperative that you configure these community strings on the agents. You do this by typing in a community and then assigning rights to it (typically either read-only or read-write) in the Agent and Security
Requires Free Membership to View
tabs of the service properties. This task is imperative because by default, SNMP has two strings: "public" allows read-only access, and "private" allows read-write access. Of course, "private" is something of a misnomer because anyone familiar with SNMP can send an instruction with the community "private" and reconfigure your server WITHOUT LOGGING IN! It is worth repeating that the SNMP agent totally bypasses all Windows security. No account, username or password is required; just the community string. To make matters even worse, these community strings are passed in nearly every SNMP packet in clear text across your network, so anyone with a sniffer can quickly find your community strings, even if you change them from the default.
Nevertheless, you should immediately delete the "public" and "private" communities and replace them with your own. If you don't have a network management station that is actively monitoring your servers or desktops, you should disable or uninstall the SNMP services.
Interestingly, the Windows SNMP agent supplies an enormous amount of information. For a peek at a fraction of it, download an SNMP tool from the Internet and point it at a test server with the SNMP agent turned on. My personal favorite tool is IP Browser from www.solarwinds.net. This amazing tool (and others like it) will scan an entire network, searching for devices that have SNMP agents. Once it finds them, it downloads and displays information about them.
For Windows NT/2000, this information includes, all the accounts in the SAM (including hidden accounts!), all the shares (including hidden shares), lots of information about the hardware, such as number and size of hard disks, NIC cards and their IP addresses and status, and much more. It even displays the entire routing table, ARP table and much more.
It's not hard to see how this information can be very useful for administrators, which is why the protocol exists, but it also represents an open door to anyone to gather information and potentially change the configuration of your hosts.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
This was first published in January 2002
Join the conversationComment
Share
Comments
Results
Contribute to the conversation