The inclusion of Telnet server in W2K Pro and W2K Server is another decent
reason to upgrade from Windows NT to Windows 2000. If you have ever worked in a
unix environment, you know how valuable telnet is to remote administration. You
telnet to a remote box and run programs as if you were setting at the console.
Windows NT Resource Kit has a beta telnet server. There are good commercial
telnet servers available for NT4 which I documented in Telnet
servers for Windows NT . These tools have the downside of cost if your job
involves workstation support. Getting a decent telnet server for a set of
servers is one thing, paying for a telnet server for a large number of
workstations – HA! Not anywhere I ever worked. W2K has addressed this issue.
Unix telnet has significant security problems – the password flows in clear
text across the network. Not acceptable. The commercial NT telnet packages offer
integrated NT security as an option. Microsoft’s telnet server for Windows 2000
Server and Windows 2000 Professional uses NT 2000s native security – passwords
are not sent in clear text. The telnet client in Windows 2000 supports this
enhanced security. If you are in a mixed NT and unix administrative environment,
you can configure the telnet server to access clear text passwords.
By default, the Telnet service supplied with Windows 2000 requires NTLM
authentication. However, if Windows 2000 is configured to use Kerberos as its
default authentication method, then Telnet users are not able to obtain access
to domain/AD resources including network validation. To allow clear text
passwords ala unix:
- Run tlntadmn.exe
- Select Display / change registry settings
- Select NTLM
- Change the default setting from 2 to 0 to disable the NTLM requirement
To start the telnet server, at the commandline:
net start tlntsvr
As a service, it can be start/stopped/paused as you need. It can be
automatically started in all Windows 2000 Professional workstations if you want
to support them remotely. With telnet and runas
utility , Windows 2000 has become a much more friendly place for unix
admins.
Don’t let the word unix turn you off. The unix-world has powerful tools to
manage distributed systems that needed to be made available to the NT world.
This telnet service is essentially a freeware utility that can take the place
of SMS’s remote access capability, without the very significant complexity of
SMS.
You can configure a logon banner and automatically execute commands at log on
(map drives and so on). When a user connects, the Telnet service runs the file
%systemroot%\System32\login.cmd. The login.cmd file is
global and applies to all Telnet users who connect to the system. You can modify
the script to include commands based on the %username% variable that execute
other scripts as applicable to specific users. By default, login.cmd causes a
simple banner to display the changes to the folder referenced by the %homedrive%
and %homepath% variables. However, you can modify the script to change the
banner or to include additional commands to customize the Telnet session’s
behavior.
You can restrict users from gaining access to Windows 2000 via Telnet:
If there is a local group named TelnetClients, W2k allows only users who are
members of this group can access the computer via Telnet.
