While studying the W2K books I ran into a new kind of service (and correct me if I'm wrong, this wasn't available default in NT4.0) called the telnet service. This is a UNIX like service, which gives you a text based tool for remote administration of your W2K system. This can be very when you have to troubleshoot a system while using a slow connection (i.e. 33k6 modem). But I also think that a warning should be in place, although the service is default configured as Manual in the control panel, switching this to automatically shouldn't be done without consideration of the security issue's.
How does it works:
Like said before the default value for this service is manual. So you have to switch it on. This is done through the menu start/programs/administrative tools/services . After the service is started you are able to make a telnet connection to the W2K server just by starting up from the command prompt telnet xxx.xxx.xxx.xxx. After the login and password, the system redirects you to the c:\> from this command prompt you are able to start up the telnet server service administration tool by running the tlntadmn.exe program. The telnet server service administration tool: The telnet server service administration tool includes the following options:
|0||Quit this application||Ends the Telnet Server Administration tool|
|1||List the current Users||Lists the current users, including the user name, domain, remote computer, Session ID, and log time|
|2||Terminate a user session||Terminates a selected user's session|
|3||Display/Change registry settings||Provides a list of registry settings that you can change. For more information see page 2|
|4||Start the service||Starts the W2K telnet service|
|5||Stops the service||Stops the W2K telnet service|
The telnet service is very similar to the version which was include with service for UNIX, with the major difference that the W2K service only accepts two inbound connections.
What about security:
The MS telnet service offers a method of secure logon using NTLM security.
If W2K is configured to use Kerberos as its default authentication method, the
default must changed in the registry by using option 3 in the administrator
tool setting the value to 0. But most services allow for only a "clear
text" logon, which means that your passwords across the network. You have
problems when the pizzaboy from my last article (W2K Recovery
Console ) placed a tap into your network.
Logons are considered to be local logons, so the user who logs on with a telnet connection must be able to log on locally. The file permissions are based on NTFS file system security. If you have partitions using the FAT or FAT32 file system on your server, any user who has access to Telnet can gain access to all resources on these values.
This new tool is also like the recovery console a very powerful tool to make the life of the administrator less stressful, but there are a lot of security issue's involved so before using this tool you must consider the total security of your system and network.