How to Set Up SNMP Monitoring on Windows Server 2012 R2

Simple Network Management Protocol (SNMP) is a widely supported protocol used by network monitoring tools such as PRTG, Nagios, SolarWinds, and Cacti to collect performance and health data from network-connected devices and servers. Windows Server 2012 R2 includes a built-in SNMP service that exposes system performance counters, network interface statistics, and service availability data via SNMP MIB-II objects. This guide covers installing and configuring the SNMP service, securing it with community strings and access restrictions, and verifying connectivity from a monitoring host.

Prerequisites

Administrator privileges are required. A monitoring host running an SNMP manager (PRTG, Zabbix, Nagios, etc.) should be available to verify SNMP responses. The IP address of the monitoring host is needed for access control configuration. Plan your SNMP community strings in advance — avoid using “public” as the community string in production environments as it is a well-known default that attackers routinely probe.

Step 1: Install the SNMP Service

The SNMP Service is an optional Windows feature that must be installed before configuration. Install it via PowerShell:

Install-WindowsFeature SNMP-Service -IncludeManagementTools

This installs both the SNMP Service and the SNMP WMI Provider. Verify installation:

Get-WindowsFeature SNMP-Service

Optionally install SNMP-WMI-Provider separately for WMI-based SNMP management:

Install-WindowsFeature SNMP-WMI-Provider

Step 2: Configure the SNMP Service via Service Properties

After installation, configure the SNMP service through the Services MMC. Press Win+R, type services.msc, and press Enter. Locate SNMP Service, right-click, and select Properties. Navigate to the Security tab.

Under Accepted community names, click Add to create a new community string. In the production environment, configure the community name with READ ONLY access (Community Rights = READ ONLY). Avoid READ WRITE or READ CREATE unless your monitoring tool specifically requires write access. Add your community string name (e.g., MonPRTGCommunity2024).

Under Accept SNMP packets from these hosts, select “Only accept SNMP packets from these hosts” and add the IP address of your monitoring server. This access control prevents unauthorised SNMP queries from other hosts on the network.

On the Agent tab, fill in the Contact and Location fields. These map to the SNMP MIB-II sysContact and sysLocation OIDs and appear in monitoring dashboards. Set the services checkboxes appropriate to the server role (Physical, Internet, End-to-end, Applications).

Step 3: Configure SNMP via Registry (PowerShell)

For automated deployment, configure SNMP settings via the registry. The SNMP Service reads its configuration from HKLM:SYSTEMCurrentControlSetServicesSNMPParameters:

# Set community string with READ ONLY access (4 = Read Only)
$regPath = "HKLM:SYSTEMCurrentControlSetServicesSNMPParametersValidCommunities"
New-Item -Path $regPath -Force | Out-Null
New-ItemProperty -Path $regPath -Name "MonCommunity2024" -Value 4 -PropertyType DWORD -Force

# Restrict to specific monitoring hosts
$hostPath = "HKLM:SYSTEMCurrentControlSetServicesSNMPParametersPermittedManagers"
New-Item -Path $hostPath -Force | Out-Null
New-ItemProperty -Path $hostPath -Name "1" -Value "192.168.1.100" -PropertyType String -Force
New-ItemProperty -Path $hostPath -Name "2" -Value "192.168.1.101" -PropertyType String -Force

# Set contact and location information
$agentPath = "HKLM:SYSTEMCurrentControlSetServicesSNMPParametersRFC1156Agent"
Set-ItemProperty -Path $agentPath -Name "sysContact" -Value "[email protected]"
Set-ItemProperty -Path $agentPath -Name "sysLocation" -Value "DataCenter-Rack-A1"

Restart the SNMP service after registry changes:

Restart-Service SNMP

Step 4: Configure Windows Firewall for SNMP

SNMP uses UDP port 161 for queries and UDP port 162 for traps. Configure Windows Firewall to allow SNMP from the monitoring host only:

# Allow SNMP queries from monitoring server only
New-NetFirewallRule -DisplayName "SNMP Inbound" -Direction Inbound -Protocol UDP -LocalPort 161 -RemoteAddress 192.168.1.100 -Action Allow -Profile Domain,Private

# Allow SNMP traps outbound to monitoring server
New-NetFirewallRule -DisplayName "SNMP Trap Outbound" -Direction Outbound -Protocol UDP -RemotePort 162 -RemoteAddress 192.168.1.100 -Action Allow -Profile Domain,Private

Step 5: Configure SNMP Traps

SNMP traps allow the Windows server to proactively notify the monitoring system of events (such as a service stopping or disk failure) rather than waiting for the next polling cycle. Configure trap destinations via the SNMP Service Properties Traps tab:

Add the community name used for traps and the trap destination (IP address of the SNMP trap receiver/monitoring server). Via registry:

$trapPath = "HKLM:SYSTEMCurrentControlSetServicesSNMPParametersTrapConfigurationMonCommunity2024"
New-Item -Path $trapPath -Force | Out-Null
New-ItemProperty -Path $trapPath -Name "1" -Value "192.168.1.100" -PropertyType String -Force

Step 6: Verify SNMP Responses

Test SNMP connectivity from the monitoring server. If you have snmpwalk or snmpget available on the monitoring server (Linux-based Nagios or Zabbix server):

# Run from monitoring server (Linux)
snmpget -v2c -c MonCommunity2024 192.168.1.200 sysDescr.0
snmpwalk -v2c -c MonCommunity2024 192.168.1.200 system

From a Windows management workstation with SNMP tools, use the built-in snmputil command if installed, or use PowerShell with the SNMP module. To verify the SNMP service is listening on UDP 161 on the Windows server itself:

netstat -an | findstr ":161"

The output should show UDP 0.0.0.0:161 LISTENING (or the specific interface IP).

Step 7: Enable SNMP v3 (Recommended for Security)

SNMP v1 and v2c transmit community strings in plaintext and are vulnerable to interception. SNMP v3 provides authentication (MD5/SHA) and optional encryption (DES/AES). Windows Server 2012 R2’s built-in SNMP service only supports SNMP v1 and v2c. For SNMP v3 support on Windows Server 2012 R2, third-party SNMP agents or network monitoring solutions that use WMI instead of SNMP are recommended alternatives.

As a security mitigation for SNMP v2c deployments, use a strong, non-obvious community string, restrict permitted managers to specific monitoring host IPs, and isolate SNMP traffic to a dedicated management VLAN where possible.

Step 8: Common SNMP OIDs for Windows Monitoring

The following MIB-II OIDs are available via the Windows SNMP service for standard monitoring:

# System Description
OID: 1.3.6.1.2.1.1.1.0

# System Uptime (in hundredths of a second)
OID: 1.3.6.1.2.1.1.3.0

# Interface Table (network interface statistics)
OID: 1.3.6.1.2.1.2.2

# Interface InOctets / OutOctets (bytes per interface)
OID: 1.3.6.1.2.1.2.2.1.10  (ifInOctets)
OID: 1.3.6.1.2.1.2.2.1.16  (ifOutOctets)

# TCP Connections
OID: 1.3.6.1.2.1.6.9.0

# UDP Datagrams
OID: 1.3.6.1.2.1.7.1.0

For Windows-specific counters beyond MIB-II (CPU, memory, disk), most monitoring platforms use WMI queries or the Windows Performance Counter via the SNMP WMI Provider extension.

Summary

SNMP on Windows Server 2012 R2 provides a standard-protocol monitoring interface compatible with virtually every enterprise monitoring platform. By installing the SNMP service, configuring strong community strings with read-only access, restricting permitted managers to known monitoring hosts, and enabling firewall rules that limit SNMP access to specific IPs, you achieve a functional and reasonably secure SNMP monitoring integration. For environments requiring stronger security, supplement SNMP with WMI-based monitoring or deploy a dedicated monitoring agent like Zabbix or SCOM that provides encrypted, authenticated communication.