Configuring Windows 2000 Telnet Service For Non-MS Clients

In this article we discussed how to install the telnet service on NT 4. Windows 2000 comes with a telnet service. Now, telnet is nasty, because it does not provide encryption like SSH does. One cool thing about telnet, though, is that it is great for testing layer 4 stuff. We will use this in other articles. Be doubly sure that you patch up your telnet service if you run it. See this security warning for a list of many of the security holes in the telnet service that Microsoft has patched. Don’t be letting telnet in through your firewall, though, and do remember that you can listen on any port with telnet. You’ll have to monitor your systems and make sure that if the service is running, it isn’t set to another port.

If you use a non-windows client, you will get an NTLM error:

u-1@srv-1 u-1 $ telnet 10.50.100.45
Trying 10.50.100.45...
Connected to 10.50.100.45.
Escape character is '^]'.
Server allows NTLM authentication only 
Server has closed connection
Connection closed by foreign host.
u-1@srv-1 u-1 $ 

This can be set in the Telnet Server Administration tool. This is located in Administrative Tools:

telnetserveradmin

Let’s change the NTLM option to disabled completely. This means that the client doesn’t even try to use NTLM authentication. Instead, plain text passwords are passed across the network. Be *aware* of this, and secure accordingly. Double click on the Telnet Server Administration tool:

Microsoft (R) Windows 2000 (TM) (Build 2195)
Telnet Server Admin (Build 5.00.99201.1)
Select one of the following options:
0) Quit this application
1) List the current users
2) Terminate a user session ...
3) Display / change registry settings ...
4) Start the service
5) Stop the service
Type an option number [0 - 5] to select that option: 3
Select one of the following options:
0) Exit this menu
1) AllowTrustedDomain
2) AltKeyMapping
3) DefaultDomain
4) DefaultShell
5) LoginScript
6) MaxFailedLogins
7) NTLM
8) TelnetPort
Type an option number [0 - 8] to select that option: 7
Current value of NTLM = 2
Do you want to change this value ? [y/n]y
NTLM [ current value = 2; acceptable values 0, 1 or 2 ] :0

Restart the telnet service. Now, we can log on:

u-1@srv-1 u-1 $ telnet 10.50.100.45
Trying 10.50.100.45...
Connected to 10.50.100.45.
Escape character is '^]'.
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service 
Telnet Server Build 5.00.99206.1
login: administrator            
password: ******   
*===============================================================                
Welcome to Microsoft Telnet Server.                                             
*===============================================================                
C:\>  

Remember how we said the telnet server could listen on any port? Well, just set the port using the Telnet Server Administration tool to, say 10888. Now we can telnet in to the server on port 10888:

u-1@srv-1 u-1 $ telnet 10.50.100.47 10888
Trying 10.50.100.47...
Connected to 10.50.100.47.
Escape character is '^]'.
Microsoft (R) Windows (TM) Version 5.00 (Build 2195)
Welcome to Microsoft Telnet Service 
Telnet Server Build 5.00.99201.1
login:

Note that the version and IP address are different. This is an unpatched telnet server on a Windows 2000 Advanced server we are using in another article. The telnet service is very handy for testing security and other services. Very nasty security implications, though. Don’t be tempted to run this on systems that aren’t in controlled environments. Also, be aware of what your Windows 2000 machines are running that are accessible from the outside. A little port address translation on the firewall, and a Windows 2000 workstation running on some random port, and you have a nasty security hole. Did we mention to be careful about running the telnet service? 😉