| Author | Messages | |
gabriel/tfi
Posts:136
 | | 04/17/2008 11:20 AM |
| <html><body><div>Do you see any problem in using SNMP on Domain Controllers?</div>
<div> </div>
<div>Thanks - Gabriele.</div></body></html>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:127
| | 04/18/2008 9:16 AM |
| Which version of SNMP?
Other than security, I don't really have a big problem with it myself.
Mostly because I view it as a security risk and directly against what I'm
trying to do with a domain controller. If you can secure it though, then I
don't have a problem with SNMP management of a domain controller per se.
On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
> Do you see any problem in using SNMP on Domain Controllers?
>
> Thanks - Gabriele.
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir.org/ma/default.aspx
| | | |
| gabriel/tfi
Posts:136
| | 04/18/2008 12:15 PM |
| <html><body><div>The one included in Windows Server 2003 supporting v1 and v2c.</div>
<div> </div>
<div>AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are relatively easy to sniff and IP-spoofing.</div>
<div>The only way I can think of securing SNMP traffic is to use IPSec, but it does not look a viable solution actually.</div>
<div> </div>
<div>What other security I could implement? e.g. WRITE/SET capability disallowed on managed nodes (DCs)</div>
<div> </div>
<div>Thanks - Gabriele<BR></div>
<div ><BR><BR>
<BLOCKQUOTE style="PADDING-LEFT: 8px; MARGIN-LEFT: 8px; BORDER-LEFT: blue 2px solid" webmail="1">-------- Original Message --------<BR>Subject: Re: [ActiveDir] SNMP on DCs<BR>From: "Al Mulnick" <amulnick@gmail.com><BR>Date: Fri, April 18, 2008 3:15 pm<BR>To: <a href="javascript:window.location.replace('ma'+'ilto:'+'ActiveDir'+'@'+'mail'+'.activedir')".org">ActiveDir@mail.activedir.org</a><BR><BR>
<DIV>Which version of SNMP? <BR></DIV>
<DIV>Other than security, I don't really have a big problem with it myself. Mostly because I view it as a security risk and directly against what I'm trying to do with a domain controller. If you can secure it though, then I don't have a problem with SNMP management of a domain controller per se. </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR> </DIV>
<DIV class=gmail_quote>On Thu, Apr 17, 2008 at 11:15 AM, <<A onclick="Popup.composeWindow('pcompose.php?sendto=gabro%40gabro.net');; return false;" href="javascript:window.location.replace('ma'+'ilto:'+'gabro'+'@'+'gabro'+'.net')" target=_blank><a href="javascript:window.location.replace('ma'+'ilto:'+'gabro'+'@'+'gabro'+'.net')">gabro@gabro.net</a></A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<DIV>
<DIV>Do you see any problem in using SNMP on Domain Controllers?</DIV>
<DIV> </DIV>
<DIV>Thanks - Gabriele.</DIV></DIV>List info : <A href="http://www.activedir.org/List.aspx" target=_blank><a href="http://www.activedir.org/List.aspx">http://www.activedir.org/List.aspx</a></A> List FAQ : <A href="http://www.activedir.org/ListFAQ.aspx" target=_blank><a href="http://www.activedir.org/ListFAQ.aspx">http://www.activedir.org/ListFAQ.aspx</a></A> List archive: <A href="http://www.activedir.org/ma/default.aspx" target=_blank><a href="http://www.activedir.org/ma/default.aspx">http://www.activedir..org/ma/default.aspx</a></A> </BLOCKQUOTE></DIV><BR></BLOCKQUOTE></DIV></body></html>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| amulnick
Posts:127
| | 04/18/2008 2:07 PM |
| Just for a level set, what it is the end result that you need? What options
do you have?
On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
> The one included in Windows Server 2003 supporting v1 and v2c.
>
> AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are
> relatively easy to sniff and IP-spoofing.
> The only way I can think of securing SNMP traffic is to use IPSec, but it
> does not look a viable solution actually.
>
> What other security I could implement? e.g. WRITE/SET capability
> disallowed on managed nodes (DCs)
>
> Thanks - Gabriele
>
>
> -------- Original Message --------
> Subject: Re: [ActiveDir] SNMP on DCs
> From: "Al Mulnick" <amulnick@gmail.com>
> Date: Fri, April 18, 2008 3:15 pm
> To: ActiveDir@mail.activedir.org
>
> Which version of SNMP?
> Other than security, I don't really have a big problem with it myself.
> Mostly because I view it as a security risk and directly against what I'm
> trying to do with a domain controller. If you can secure it though, then I
> don't have a problem with SNMP management of a domain controller per se.
>
>
>
>
> On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
>
> > Do you see any problem in using SNMP on Domain Controllers?
> >
> > Thanks - Gabriele.
> > List info : http://www.activedir.org/List.aspx List FAQ :
> > http://www.activedir.org/ListFAQ.aspx List archive:
> > http://www.activedir..org/ma/default.aspx<http://www.activedir.org/ma/default.aspx><http://www.activedir.org/ma/default.aspx>
>
>
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir.org/ma/default.aspx
>
| | | |
| gabriel/tfi
Posts:136
| | 04/20/2008 5:16 PM |
| Our network team uses a monitoring tool that relies on SNMPv2 and offered us (DAs) to monitor AD as well, so I was wondering about the security implications of enabling SNMPv2 on DCs.
Thanks – Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: venerdì 18 aprile 2008 20.04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
Just for a level set, what it is the end result that you need? What options do you have?
On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
The one included in Windows Server 2003 supporting v1 and v2c.
AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are relatively easy to sniff and IP-spoofing.
The only way I can think of securing SNMP traffic is to use IPSec, but it does not look a viable solution actually.
What other security I could implement? e.g. WRITE/SET capability disallowed on managed nodes (DCs)
Thanks - Gabriele
-------- Original Message --------
Subject: Re: [ActiveDir] SNMP on DCs
From: "Al Mulnick" <amulnick@gmail.com>
X-te: Fri, April 18, 2008 3:15 pm
To: ActiveDir@mail.activedir.org
Which version of SNMP?
Other than security, I don't really have a big problem with it myself. Mostly because I view it as a security risk and directly against what I'm trying to do with a domain controller. If you can secure it though, then I don't have a problem with SNMP management of a domain controller per se.
On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
Do you see any problem in using SNMP on Domain Controllers?
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir..org/ma/default.aspx <http://www.activedir.org/ma/default.aspx>
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
| | | |
| bdesmond
Posts:347
| | 04/20/2008 5:26 PM |
| There's a limit to how much you can get out of Windows SNMP without some 3rd
party addons as I recall. If you set it up with SNMP read and I think you
can also limit hte ource addresses, can't be that big of a deal.
Bottom line though I'm not sure how useful it will be.
Thanks,
Brian
On Sun, Apr 20, 2008 at 5:13 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
> Our network team uses a monitoring tool that relies on SNMPv2 and offered
> us (DAs) to monitor AD as well, so I was wondering about the security
> implications of enabling SNMPv2 on DCs.
>
>
>
> Thanks – Gabriele.
>
>
>
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> *Sent:* venerdì 18 aprile 2008 20.04
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] SNMP on DCs
>
>
>
> Just for a level set, what it is the end result that you need? What
> options do you have?
>
> On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
>
> The one included in Windows Server 2003 supporting v1 and v2c.
>
>
>
> AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are
> relatively easy to sniff and IP-spoofing.
>
> The only way I can think of securing SNMP traffic is to use IPSec, but it
> does not look a viable solution actually.
>
>
>
> What other security I could implement? e.g. WRITE/SET capability
> disallowed on managed nodes (DCs)
>
>
>
> Thanks - Gabriele
>
>
>
> -------- Original Message --------
> Subject: Re: [ActiveDir] SNMP on DCs
> From: "Al Mulnick" <amulnick@gmail.com>
> X-te: Fri, April 18, 2008 3:15 pm
> To: ActiveDir@mail.activedir.org
>
> Which version of SNMP?
>
> Other than security, I don't really have a big problem with it myself.
> Mostly because I view it as a security risk and directly against what I'm
> trying to do with a domain controller. If you can secure it though, then I
> don't have a problem with SNMP management of a domain controller per se.
>
>
>
>
>
>
>
>
> On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
>
> Do you see any problem in using SNMP on Domain Controllers?
>
>
>
> Thanks - Gabriele.
>
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir..org/ma/default.aspx<http://www.activedir.org/ma/default.aspx>
>
>
>
> List info : http://www.activedir.org/List.aspx List FAQ :
> http://www.activedir.org/ListFAQ.aspx List archive:
> http://www.activedir.org/ma/default.aspx
>
>
>
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| amulnick
Posts:127
| | 04/20/2008 6:57 PM |
| | BTW, a quick check shows that the last snmp vulnerabilities were patched by
Microsoft and the vulnerability is therefore not considered active by some
accounts. I just view it as an attack vector for DoS and ownership attacks
that provides little in return. All that for your security hosts. Not my
idea of a good trade-off.
On Sun, Apr 20, 2008 at 5:23 PM, Brian Desmond <brian@briandesmond.com>
wrote:
> There's a limit to how much you can get out of Windows SNMP without some
> 3rd party addons as I recall. If you set it up with SNMP read and I think
> you can also limit hte ource addresses, can't be that big of a deal.
>
> Bottom line though I'm not sure how useful it will be.
>
> Thanks,
> Brian
>
> On Sun, Apr 20, 2008 at 5:13 PM, Gabriele Scolaro <gabro@gabro.net>
> wrote:
>
> > Our network team uses a monitoring tool that relies on SNMPv2 and
> > offered us (DAs) to monitor AD as well, so I was wondering about the
> > security implications of enabling SNMPv2 on DCs.
> >
> >
> >
> > Thanks – Gabriele.
> >
> >
> >
> > *From:* ActiveDir-owner@mail.activedir.org [mailto:
> > ActiveDir-owner@mail.activedir.org] *On Behalf Of *Al Mulnick
> > *Sent:* venerdì 18 aprile 2008 20.04
> > *To:* ActiveDir@mail.activedir.org
> > *Subject:* Re: [ActiveDir] SNMP on DCs
> >
> >
> >
> > Just for a level set, what it is the end result that you need? What
> > options do you have?
> >
> > On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
> >
> > The one included in Windows Server 2003 supporting v1 and v2c.
> >
> >
> >
> > AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are
> > relatively easy to sniff and IP-spoofing.
> >
> > The only way I can think of securing SNMP traffic is to use IPSec, but
> > it does not look a viable solution actually.
> >
> >
> >
> > What other security I could implement? e.g. WRITE/SET capability
> > disallowed on managed nodes (DCs)
> >
> >
> >
> > Thanks - Gabriele
> >
> >
> >
> > -------- Original Message --------
> > Subject: Re: [ActiveDir] SNMP on DCs
> > From: "Al Mulnick" <amulnick@gmail.com>
> > X-te: Fri, April 18, 2008 3:15 pm
> > To: ActiveDir@mail.activedir.org
> >
> > Which version of SNMP?
> >
> > Other than security, I don't really have a big problem with it myself.
> > Mostly because I view it as a security risk and directly against what I'm
> > trying to do with a domain controller. If you can secure it though, then I
> > don't have a problem with SNMP management of a domain controller per se.
> >
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
> >
> > Do you see any problem in using SNMP on Domain Controllers?
> >
> >
> >
> > Thanks - Gabriele.
> >
> > List info : http://www.activedir.org/List.aspx List FAQ :
> > http://www.activedir.org/ListFAQ.aspx List archive:
> > http://www.activedir..org/ma/default.aspx<http://www.activedir.org/ma/default.aspx>
> >
> >
> >
> > List info : http://www.activedir.org/List.aspx List FAQ :
> > http://www.activedir.org/ListFAQ.aspx List archive:
> > http://www.activedir.org/ma/default.aspx
> >
> >
> >
>
>
>
> --
> Thanks,
> Brian Desmond
> brian@briandesmond.com
>
> c - 312.731.3132
| | | |
| robertsingers
Posts:143
| | 04/20/2008 7:33 PM |
| If your hardware vendor only provides in band SNMP hardware agents you need to have the Microsoft SNMP enabled. So I have to disagree with you. There is a huge return in being able to detect hardware failures. But if you're not using SNMP for hardware monitoring I agree ,WMI and other methods will give you more than SNMP will.
Personally I'm much happier with out of band SNMP such as with the Dell DRAC cards.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, 21 April 2008 10:57 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
BTW, a quick check shows that the last snmp vulnerabilities were patched by Microsoft and the vulnerability is therefore not considered active by some accounts. I just view it as an attack vector for DoS and ownership attacks that provides little in return. All that for your security hosts. Not my idea of a good trade-off.
On Sun, Apr 20, 2008 at 5:23 PM, Brian Desmond <brian@briandesmond.com> wrote:
There's a limit to how much you can get out of Windows SNMP without some 3rd party addons as I recall. If you set it up with SNMP read and I think you can also limit hte ource addresses, can't be that big of a deal.
Bottom line though I'm not sure how useful it will be.
Thanks,
Brian
On Sun, Apr 20, 2008 at 5:13 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Our network team uses a monitoring tool that relies on SNMPv2 and offered us (DAs) to monitor AD as well, so I was wondering about the security implications of enabling SNMPv2 on DCs.
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: venerdì 18 aprile 2008 20.04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
Just for a level set, what it is the end result that you need? What options do you have?
On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
The one included in Windows Server 2003 supporting v1 and v2c.
AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are relatively easy to sniff and IP-spoofing.
The only way I can think of securing SNMP traffic is to use IPSec, but it does not look a viable solution actually.
What other security I could implement? e.g. WRITE/SET capability disallowed on managed nodes (DCs)
Thanks - Gabriele
-------- Original Message --------
Subject: Re: [ActiveDir] SNMP on DCs
From: "Al Mulnick" <amulnick@gmail.com>
X-te: Fri, April 18, 2008 3:15 pm
To: ActiveDir@mail.activedir.org
Which version of SNMP?
Other than security, I don't really have a big problem with it myself. Mostly because I view it as a security risk and directly against what I'm trying to do with a domain controller. If you can secure it though, then I don't have a problem with SNMP management of a domain controller per se.
On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
Do you see any problem in using SNMP on Domain Controllers?
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir..org/ma/default.aspx <http://www.activedir.org/ma/default.aspx>
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
| mbarker
Posts:11
| | 04/20/2008 9:30 PM |
| We're using SNMP (read-only) on most all our systems and can get some great things via our Solarwinds Orion system. For servers I can get traffic stats on the NICs, memory/disk utilization etc, reboot events you name it. The key is read-only strings, and to setup permitted hosts. I'm not sure what you'll get specifically for AD, but the host level stuff is great on its own using our solution.
Personally I love the fact that it works without an agent. I can get stats from Enterasys, Cisco, Brocade, HP Proliant, Dell, HP-UX, Solaris, Linux... (you get the picture) all from the same console.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Sunday, April 20, 2008 5:23 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
There's a limit to how much you can get out of Windows SNMP without some 3rd party addons as I recall. If you set it up with SNMP read and I think you can also limit hte ource addresses, can't be that big of a deal.
Bottom line though I'm not sure how useful it will be.
Thanks,
Brian
On Sun, Apr 20, 2008 at 5:13 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Our network team uses a monitoring tool that relies on SNMPv2 and offered us (DAs) to monitor AD as well, so I was wondering about the security implications of enabling SNMPv2 on DCs.
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: venerdì 18 aprile 2008 20.04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
Just for a level set, what it is the end result that you need? What options do you have?
On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
The one included in Windows Server 2003 supporting v1 and v2c.
AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are relatively easy to sniff and IP-spoofing.
The only way I can think of securing SNMP traffic is to use IPSec, but it does not look a viable solution actually.
What other security I could implement? e.g. WRITE/SET capability disallowed on managed nodes (DCs)
Thanks - Gabriele
-------- Original Message --------
Subject: Re: [ActiveDir] SNMP on DCs
From: "Al Mulnick" <amulnick@gmail.com>
X-te: Fri, April 18, 2008 3:15 pm
To: ActiveDir@mail.activedir.org
Which version of SNMP?
Other than security, I don't really have a big problem with it myself. Mostly because I view it as a security risk and directly against what I'm trying to do with a domain controller. If you can secure it though, then I don't have a problem with SNMP management of a domain controller per se.
On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
Do you see any problem in using SNMP on Domain Controllers?
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir..org/ma/default.aspx <http://www.activedir.org/ma/default.aspx>
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
| | | |
| sslists
Posts:18
| | 04/20/2008 9:30 PM |
| Depending on your monitoring software, this should decide if SNMP is enabled. If you use SNMP, you can restrict in the SNMP service which hosts to listen on. That is one way of locking it down. I agree on monitoring for hardware, Dell has a good hardware SNMP monitoring agent. It's been too many years for me to remember what HP / Compaq has.
Thanks,
Steve
----- Original Message -----
From: Robert Singers
To: ActiveDir@mail.activedir.org
Sent: Sunday, April 20, 2008 7:31 PM
Subject: RE: [ActiveDir] SNMP on DCs
If your hardware vendor only provides in band SNMP hardware agents you need to have the Microsoft SNMP enabled. So I have to disagree with you. There is a huge return in being able to detect hardware failures. But if you're not using SNMP for hardware monitoring I agree ,WMI and other methods will give you more than SNMP will.
Personally I'm much happier with out of band SNMP such as with the Dell DRAC cards.
------------------------------------------------------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, 21 April 2008 10:57 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
BTW, a quick check shows that the last snmp vulnerabilities were patched by Microsoft and the vulnerability is therefore not considered active by some accounts. I just view it as an attack vector for DoS and ownership attacks that provides little in return. All that for your security hosts. Not my idea of a good trade-off.
On Sun, Apr 20, 2008 at 5:23 PM, Brian Desmond <brian@briandesmond.com> wrote:
There's a limit to how much you can get out of Windows SNMP without some 3rd party addons as I recall. If you set it up with SNMP read and I think you can also limit hte ource addresses, can't be that big of a deal.
Bottom line though I'm not sure how useful it will be.
Thanks,
Brian
On Sun, Apr 20, 2008 at 5:13 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Our network team uses a monitoring tool that relies on SNMPv2 and offered us (DAs) to monitor AD as well, so I was wondering about the security implications of enabling SNMPv2 on DCs.
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: venerdì 18 aprile 2008 20.04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
Just for a level set, what it is the end result that you need? What options do you have?
On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
The one included in Windows Server 2003 supporting v1 and v2c.
AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are relatively easy to sniff and IP-spoofing.
The only way I can think of securing SNMP traffic is to use IPSec, but it does not look a viable solution actually.
What other security I could implement? e.g. WRITE/SET capability disallowed on managed nodes (DCs)
Thanks - Gabriele
-------- Original Message --------
Subject: Re: [ActiveDir] SNMP on DCs
From: "Al Mulnick" <amulnick@gmail.com>
X-te: Fri, April 18, 2008 3:15 pm
To: ActiveDir@mail.activedir.org
Which version of SNMP?
Other than security, I don't really have a big problem with it myself. Mostly because I view it as a security risk and directly against what I'm trying to do with a domain controller. If you can secure it though, then I don't have a problem with SNMP management of a domain controller per se.
On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
Do you see any problem in using SNMP on Domain Controllers?
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir..org/ma/default.aspx
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
------------------------------------------------------------------------------
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
------------------------------------------------------------------------------
| | | |
| robertsingers
Posts:143
| | 04/20/2008 9:55 PM |
| The HP / Compaq InSight agents run as software agents. They need to have SNMP enabled to work. I've had instances in the past where one of the mirrored system disk has failed causing the O/S to lock up but the TCP/IP stack to keep working.
That taught me that ping is not a test of a server being online. The nice thing about using Argent as a monitoring tool is the standard test of a Windows being online is a net TOD api call.
My milage is varying getting hardware failures from the insight agents. Some servers work but others don't. I haven't spent to much time looking at it because I basically never trust a server I haven't built :-)
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Steve Schofield
Sent: Monday, 21 April 2008 1:28 p.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
Depending on your monitoring software, this should decide if SNMP is enabled. If you use SNMP, you can restrict in the SNMP service which hosts to listen on. That is one way of locking it down. I agree on monitoring for hardware, Dell has a good hardware SNMP monitoring agent. It's been too many years for me to remember what HP / Compaq has.
Thanks,
Steve
----- Original Message -----
From: Robert Singers <mailto:robert.singers@dbh.govt.nz>
To: ActiveDir@mail.activedir.org
Sent: Sunday, April 20, 2008 7:31 PM
Subject: RE: [ActiveDir] SNMP on DCs
If your hardware vendor only provides in band SNMP hardware agents you need to have the Microsoft SNMP enabled. So I have to disagree with you. There is a huge return in being able to detect hardware failures. But if you're not using SNMP for hardware monitoring I agree ,WMI and other methods will give you more than SNMP will.
Personally I'm much happier with out of band SNMP such as with the Dell DRAC cards.
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: Monday, 21 April 2008 10:57 a.m.
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
BTW, a quick check shows that the last snmp vulnerabilities were patched by Microsoft and the vulnerability is therefore not considered active by some accounts. I just view it as an attack vector for DoS and ownership attacks that provides little in return. All that for your security hosts. Not my idea of a good trade-off.
On Sun, Apr 20, 2008 at 5:23 PM, Brian Desmond <brian@briandesmond.com> wrote:
There's a limit to how much you can get out of Windows SNMP without some 3rd party addons as I recall. If you set it up with SNMP read and I think you can also limit hte ource addresses, can't be that big of a deal.
Bottom line though I'm not sure how useful it will be.
Thanks,
Brian
On Sun, Apr 20, 2008 at 5:13 PM, Gabriele Scolaro <gabro@gabro.net> wrote:
Our network team uses a monitoring tool that relies on SNMPv2 and offered us (DAs) to monitor AD as well, so I was wondering about the security implications of enabling SNMPv2 on DCs.
Thanks - Gabriele.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Al Mulnick
Sent: venerdì 18 aprile 2008 20.04
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SNMP on DCs
Just for a level set, what it is the end result that you need? What options do you have?
On Fri, Apr 18, 2008 at 12:14 PM, <gabro@gabro.net> wrote:
The one included in Windows Server 2003 supporting v1 and v2c.
AFAIK, SNMPv1&v2 messages go over clear-text UDP packets that are relatively easy to sniff and IP-spoofing.
The only way I can think of securing SNMP traffic is to use IPSec, but it does not look a viable solution actually.
What other security I could implement? e.g. WRITE/SET capability disallowed on managed nodes (DCs)
Thanks - Gabriele
-------- Original Message --------
Subject: Re: [ActiveDir] SNMP on DCs
From: "Al Mulnick" <amulnick@gmail.com>
X-te: Fri, April 18, 2008 3:15 pm
To: ActiveDir@mail.activedir.org
Which version of SNMP?
Other than security, I don't really have a big problem with it myself. Mostly because I view it as a security risk and directly against what I'm trying to do with a domain controller. If you can secure it though, then I don't have a problem with SNMP management of a domain controller per se.
On Thu, Apr 17, 2008 at 11:15 AM, <gabro@gabro.net> wrote:
Do you see any problem in using SNMP on Domain Controllers?
Thanks - Gabriele.
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir..org/ma/default.aspx <http://www.activedir.org/ma/default.aspx>
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
--
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
________________________________
This e-mail message has been scanned for Viruses and cleared by NetIQ MailMarshal
________________________________
________________________________
Please Note:
The information contained in this email message and any attached files may be confidential and subject to privilege. Any opinions expressed in this message are not necessarily those of the Department of Building and Housing. All technical opinions are offered on a 'no-liability' basis. This message and any files transmitted with it are confidential and solely for the use of the intended recipient. If you are not the intended recipient, you are notified that any use, disclosure or copying of this email is unauthorised. If you have received this email in error, please notify us immediately by reply email and delete the original and any attachment(s). Thank you.
________________________________
############################################################
PLEASE NOTE:
The information contained in this email message and any
attached files may be confidential and subject to privilege.
Any opinions expressed in this message are not necessarily
those of the Department of Building and Housing. All technical
opinions are offered on a no-liability basis. This message
and any files transmitted with it are confidential and solely
for the use of the intended recipient. If you are not the
intended recipient, you are notified that any use, disclosure
or copying of this email is unauthorised. If you have received
this email in error, please notify us immediately by reply email
and delete the original and any attachment(s). Thank you.
############################################################
| | | |
|
|