Wake On LAN Security Best Practices

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Best Practices

Use unicast for sending wake-up packets    Unicast is more secure than subnet-directed broadcasts because the packet is sent directly to a computer rather than to all computers on a subnet. However, unicast will not work in all environments. For more information, see Choose Between Unicast and Subnet-Directed Broadcast for Wake On LAN.

If you must use subnet-directed broadcasts, configure routers to allow IP-directed broadcasts only from the site server and only on a non-default port number    Subnet directed broadcasts are vulnerable to smurf attacks. Limiting the broadcasts to a trusted source, the site server computer, and a non-default UDP port, help to mitigate the risk. For more information, see Secure Routers for Subnet-Directed Broadcasts for Wake On LAN.

See Also

Other Resources

Security Best Practices and Privacy Information for Configuration Manager Features
Wake On LAN in Configuration Manager

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.