Windows 2000 Telnet server

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

The inclusion of Telnet server in W2K Pro and W2K Server is another decent reason to upgrade from Windows NT to Windows 2000. If you have ever worked in a unix environment, you know how valuable telnet is to remote administration. You telnet to a remote box and run programs as if you were setting at the console. Windows NT Resource Kit has a beta telnet server. There are good commercial telnet servers available for NT4 which I documented in Telnet servers for Windows NT . These tools have the downside of cost if your job involves workstation support. Getting a decent telnet server for a set of servers is one thing, paying for a telnet server for a large number of workstations - HA! Not anywhere I ever worked. W2K has addressed this issue.

Unix telnet has significant security problems - the password flows in clear text across the network. Not acceptable. The commercial NT telnet packages offer integrated NT security as an option. Microsoft's telnet server for Windows 2000 Server and Windows 2000 Professional uses NT 2000s native security - passwords are not sent in clear text. The telnet client in Windows 2000 supports this enhanced security. If you are in a mixed NT and unix administrative environment, you can configure the telnet server to access clear text passwords.

By default, the Telnet service supplied with Windows 2000 requires NTLM authentication. However, if Windows 2000 is configured to use Kerberos as its default authentication method, then Telnet users are not able to obtain access to domain/AD resources including network validation. To allow clear text passwords ala unix:

  • Run tlntadmn.exe
  • Select Display / change registry settings
  • Select NTLM
  • Change the default setting from 2 to 0 to disable the NTLM requirement

To start the telnet server, at the commandline:

net start tlntsvr

As a service, it can be start/stopped/paused as you need. It can be automatically started in all Windows 2000 Professional workstations if you want to support them remotely. With telnet and runas utility , Windows 2000 has become a much more friendly place for unix admins.

Don't let the word unix turn you off. The unix-world has powerful tools to manage distributed systems that needed to be made available to the NT world.

This telnet service is essentially a freeware utility that can take the place of SMS's remote access capability, without the very significant complexity of SMS.

You can configure a logon banner and automatically execute commands at log on (map drives and so on). When a user connects, the Telnet service runs the file %systemroot%\System32\login.cmd. The login.cmd file is global and applies to all Telnet users who connect to the system. You can modify the script to include commands based on the %username% variable that execute other scripts as applicable to specific users. By default, login.cmd causes a simple banner to display the changes to the folder referenced by the %homedrive% and %homepath% variables. However, you can modify the script to change the banner or to include additional commands to customize the Telnet session's behavior.

You can restrict users from gaining access to Windows 2000 via Telnet:

If there is a local group named TelnetClients, W2k allows only users who are members of this group can access the computer via Telnet.

See Also

Featured Links