0

Im looking to implement telnet on Server 2012, i know its not secure yada yada, its just a project.

Whats the best security practices regarding this including software to use, if not inbuilt. I'm also putting an SSH server on there if theres anything that can combine the 2.

Thanks.

  • 9
    The best practice for `telnet` is to disable it. Period. End of discussion. Do not pass go, do not collect 200 security breaches and stolen passwords. If you tell us *why* you're trying to do this maybe we can give you a solution that doesn't make the Internet cry :-) – voretaq7 Jan 24 '13 at 18:36
  • It will only be accessed by 1 ip who is myself, it won't actually be open to the world, just 1 client who will act as 'the world' in this project. I'm quite aware it's not something used in production. –  Jan 24 '13 at 18:42
  • 1
    One IP or one hundred makes little difference: you are still exposed to man-in-the-middle attacks and/or connection eavesdropping... – voretaq7 Jan 24 '13 at 19:19
  • I'm well aware of that, i'm asking is there anything that has been developed to make it even slightly more secure, such as ipsec encryption, seems the point of this post has been missed. –  Jan 24 '13 at 19:27
  • 3
    IPSec doesn't have much of anything to do with Telnet. It's a generic security layer that can be applied to any IP based communication. We're looking for a practical, answerable question based on an actual problem are you facing. – Chris S Jan 24 '13 at 19:36
  • You're asking about band-aids to make it "more secure", but you simply can't fix a sucking chest wound with a band-aid. The patient is dead. Absent a real solid reason for keeping it around you should deploy SSH or something else with strong encryption instead and remove the insecure 44-year-old protocol from your environment. If you have a good business reason for requiring telnet *update your question and tell us what you're doing* and we'll try to help you find a solution that isn't completely insecure. – voretaq7 Jan 24 '13 at 19:39
  • 1
    What exactly do you mean by `telnet` server? Do you mean to say that you plan on writing an application that opens a TCP socket for some purpose, or are you actually looking to provide Windows command line access via telnet? – Zoredache Jan 24 '13 at 20:01
  • Ipsec does provide an additional layer of security though. The problem i'm facing is making a telnet server as secure as possible, i'm aware its a terrible protocol and i insinuated that in the OP! Yes, i am looking for band aids for it, it's never going to hit a production line, just being used for an in house project. It must be telnet. –  Jan 24 '13 at 20:22
  • 1
    You're not explaining why it must be telnet and can't be SSH. – mfinni Jan 24 '13 at 20:45

6 Answers6

8

Best security practices for telnet is to not use it. Failing that, restrict everything you possibly can, what IPs it will talk to, who can login, etc.

I have no idea what you mean by "combine the 2".

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • It will only be accessed by 1 ip who is myself, it won't actually be open to the world, just 1 client who will act as 'the world' in this project. A mean a third party install that can act as the telnet & ssh server. –  Jan 24 '13 at 18:39
4

Everyone else is right: You will ultimately come to regret the day you ever thought of installing a telnet server on your Windows computer. When that day comes, please remember that you were thoroughly warned.

Now with that out of the way, if you're absolutely certain you want to hang yourself, here's the rope.

You can install the telnet server in the Add Roles and Features Wizard, accessible from Server Manager. (You can also install the telnet client.)

Rope to hang yourself with

Other ways to install telnet can be found on Microsoft TechNet.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
3

If you're putting an SSH server on there as well, the solution is to use SSH instead of telnet.

SSH is the "more secure" development of telnet you're asking about in your comment. As to combining the two, no. Telnet is unencrypted. SSH is, for all intents and purposes, an encrypted telnet connection. The combination of telnet and "security" is SSH.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
3

Just to humor the question.

You can do a few things to help secure a telnet server on Windows Server 2012.

You can:

  • change the default listening port (barely helps but still)
  • enable NTLM authentication instead of plain text
  • allow or disallow administrative privileges (using NTLM)

articles here:

http://technet.microsoft.com/en-us/library/cc754837%28v=ws.10%29.aspx

TheCleaner
  • 32,627
  • 26
  • 132
  • 191
3

If you are looking for a command line, for yourself and administrative purpose, and the server is local (not over a firewall), use WinRS (Windows Remote Shell).

When you have everything setup and running, you can enter commands like: 

winrs -r:serverName command
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

Since you HAVE to use Telnet there are a couple of things that you can do to secure this.

I presume that you are running a recent version of Windows Server (2008 or better) and a recent version of the Windows client (Vista or better).

First, make sure that your server has the Windows Firewall running and limit the access to telnet on the proper interface, and to the proper machine that you will be running the client from.

Second, I would implement what is called "Domain Isolation" to IPSEC encrypt all traffic between your host and the server. If these systems are on a Windows domain you can use a GPO to configure that. If you are not you can implement local policies.

Mark Ringo

Mark Ringo
  • 1
  • 2