Telnet Server Security

The Telnet Server included with Windows CE .NET is a sample intended to show you how to create networking services that correctly interact and register with services.exe. The Telnet Server sample is also useful for device bring-up and debugging.

The Telnet server is included as a teaching tool but not for commercial distribution without further modifications. The security on the Telnet sample is very light and vulnerable to security attacks. Even if your Telnet server is configured to require password authentication, the password is sent in plain text across the network and is therefore vulnerable to packet sniffing. A malicious user could obtain the password to the device by watching packets sent back and forth between the Telnet sample and the client during the authentication stage. If a malicious user could log on to the device, they would have complete control over it. This could involve deleting or modifying key system files and the registry.

Because of these serious security risks, it is strongly recommended you only run the Telnet sample for development and debugging purposes, on a controlled, private network where you trust the users. It is strongly recommended that you do not deploy this sample Telnet server on a public network such as the Internet.

Microsoft recommends that you carefully review the code and the security needs for the target deployment, and, if necessary, add more security infrastructure before distributing this feature in a retail product.

Best Practices

Set the User List and Domain variables to prevent hacker attacks on your device

If the Telnet Server feature is used without appropriate values set for the User List and Domain variables, your Telnet server will be vulnerable to hacker attacks. These variables are not set by default. A hacker must only guess the device's password, the way it is set in Control Panel, to obtain access to the server.

To prevent such an attack, the user name in the UserList registry value must be set for each of the servers that are currently running. The user will then need to log in with the specified user name and appropriate password to use the server.

You can set the domain variable in the DefaultDomain registry value, which is located under the HKEY_LOCAL_MACHINE\Comm\Redir registry key. For more information on this registry value, see Redirector Registry Settings.

Default Registry Settings

You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.

For Telnet Server registry information, see Telnet Server Registry Settings.

Ports

The Telnet server uses port 23 as a default port to receive Telnet connections. This value can be changed or extra ports to be listened on can be added. Telnet Server uses Services.exe to listen for incoming connections. Services.exe can listen on any IPv4 or Ipv6 port. For more information, see Registering a Super Service Automatically.

See Also

Telnet Server | Telnet Server Registry Settings

 Last updated on Saturday, April 10, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.