Unix telnet has significant security problems - the password flows in clear text across the network. Not acceptable. The commercial NT telnet packages offer integrated NT security as an option. Microsoft's telnet server for Windows 2000 Server and Windows 2000 Professional uses NT 2000s native security - passwords are not sent in clear text. The telnet client in Windows 2000 supports this enhanced security. If you are in a mixed NT and unix administrative environment, you can configure the telnet server to access clear text passwords.
By default, the Telnet service supplied with Windows 2000 requires NTLM authentication. However, if Windows 2000 is configured to use Kerberos as its default authentication method, then Telnet users are not able to obtain access to domain/AD resources including network validation. To allow clear text passwords ala unix:
- Run tlntadmn.exe
- Select Display / change registry settings
- Select NTLM
- Change the default setting from 2 to 0 to disable the NTLM requirement
To start the telnet server, at the commandline:
net start tlntsvr
As a service, it can be start/stopped/paused as you need. It can be automatically started in all Windows 2000 Professional workstations if you want to support them remotely. With telnet and runas utility , Windows 2000 has become a much more friendly place for unix admins.
Don't let the word unix turn you off. The unix-world has powerful tools to manage distributed systems that needed to be made available to the NT world.
This telnet service is essentially a freeware utility that can take the place of SMS's remote access capability, without the very significant complexity of SMS.
You can configure a logon banner and automatically execute commands at log on (map drives and so on). When a user connects, the Telnet service runs the file %systemroot%\System32\login.cmd. The login.cmd file is global and applies to all Telnet users who connect to the system. You can modify the script to include commands based on the %username% variable that execute other scripts as applicable to specific users. By default, login.cmd causes a simple banner to display the changes to the folder referenced by the %homedrive% and %homepath% variables. However, you can modify the script to change the banner or to include additional commands to customize the Telnet session's behavior.
You can restrict users from gaining access to Windows 2000 via Telnet:
If there is a local group named TelnetClients, W2k allows only users who are members of this group can access the computer via Telnet.