Configure Telnet Server to Allow Administrator Access by using Password Authentication

Applies To: Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista

You can use this procedure to allow users who are members of the local Administrators group that log on by using password authentication to use their administrative privileges during a Telnet session.

Windows Vista and Windows Server 2008 introduced User Account Control (UAC) to enhance security based on whether you are logged on as a member of the local Administrators group. UAC also affects how you can use your administrative privileges from within a Telnet session.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

By default, users that log on by using NTLM authentication to a remote Telnet server can use their administrative privileges.

When you connect to a Telnet server by using password authentication, the token is filtered based on the following three conditions:

  • Whether the security account used to start the Telnet service is either Local Service or LocalSystem. See the procedures below named To use the Local Service security account to run Telnet and To use the LocalSystem security account to run Telnet.

  • Whether the user account is a domain account or an account local to the Telnet server.

  • Whether the value of the LocalAccountTokenFilterPolicy registry key, either 0 or 1. See the procedure below, To set the value of the LocalAccountTokenFilterProperty registry entry.

The default password is password.

The following table shows the results of the possible combinations of these factors when using password authentication to connect to a remote Telnet server. A dash in a cell indicates that the setting does not exist.

Security account running Telnet service User account type LocalAccountTokenFilterPolicy registry entry value The resulting token is

Local Service

-

-

Filtered

LocalSystem

Domain

-

Full

LocalSystem

Local

0

Filtered

LocalSystem

Local

1

Full

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To set the value of the LocalAccountTokenFilterPolicy registry entry

  1. Start the Registry Editor. Click Start, type regedit in the Start Search box, and then press ENTER.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Open the registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System

  4. If the entry LocalAccountTokenFilterPolicy does not yet exist, right-click System, and then click Edit, New, and DWord (32-bit) value. Type the name LocalAccountTokenFilterPolicy, and then set its value to 1.

  5. This entry only has meaning when the Telnet service is running under the context of LocalSystem. To run Telnet as Local Service, see the next procedure To use the Local Service security account to run Telnet .

To use the Local Service security account to run Telnet

  1. Stop the Telnet service. See Enable the Telnet Server Service.

  2. In the Services snap-in, on the Telnet Properties dialog box, click the Log On tab.

  3. In Log on as, click This account, and then type Local Service in the text box.

  4. Type the Administrator account password in the Password and Confirm Password text boxes.

  5. Click OK to save your changes.

  6. Open the Registry Editor. Click Start, type regedit in the Start Search box, and then press ENTER.

  7. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  8. In the navigation pane, find the key:

    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/TlntSvr

  9. In the details pane, double-click RequiredPrivileges.

  10. In the Edit Multi-String dialog box, if SeTcbPrivilege is in the list, remove it.

  11. Click OK to save your changes.

  12. Restart the Telnet Server service. See Enable the Telnet Server Service.

To use the Local System security account to run Telnet

  1. Stop the Telnet Server service. See Enable the Telnet Server Service.

  2. In the Services snap-in, on the Telnet Properties dialog box, click the Log On tab.

  3. In Log on as, click This account, and then type LocalSystem in the text box.

  4. Type the Administrator account password in the Password and Confirm Password text boxes.

  5. Click OK to save your changes.

  6. Open the Registry Editor. Click Start, type regedit in the Start Search box, and then press ENTER.

  7. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  8. In the navigation pane, find the key:

    HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/TlntSvr

  9. In the details pane, double-click RequiredPrivileges.

  10. In the Edit Multi-String dialog box, if it is not already there, add SeTcbPrivilege to the list.

  11. Click OK to save your changes.

  12. Restart the Telnet Server service. See Enable the Telnet Server Service.

Additional references

For additional information about tokens in Telnet context, refer to the following RFCs available at the Internet Engineering Task Force Web site (https://go.microsoft.com/fwlink/?linkid=121):

  • RFC 2877 5250 Telnet Enhancements

  • RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows

See Also

Concepts

Enable the Telnet Server Service
Grant Access to a Telnet Server
Configure Telnet Server Authentication
Configure the Command Interpreter Used by the Telnet Server
Configure the TCP Port Number Used by Telnet Server
Configure Idle Session Timeouts for Telnet Sessions
Configure the Number of Simultaneous Sessions Supported
Configure the Domain Used for User Name Authentication