Telnet Server Security (Windows Embedded CE 6.0)
1/6/2010
The Telnet Server included with Windows Embedded CE is a sample intended to show you how to create networking services that interact and register with Services.exe. The Telnet Server sample is also useful for device bring-up and debugging.
The Telnet server is included as a teaching tool but not for commercial distribution without further modifications. The security on the Telnet sample is very light and vulnerable to security attacks. Even if your Telnet server is configured to require password authentication, the password is sent in plain text across the network and is therefore vulnerable to packet sniffing. A malicious user could obtain the password to the device by watching packets sent back and forth between the Telnet sample and the client during the authentication stage. If a malicious user could log on to the device, they would have complete control over it. This could involve deleting or modifying key system files and the registry.
Because of these serious security risks, it is strongly recommended you only run the Telnet sample for development and debugging purposes, on a controlled, private network where you trust the users. It is strongly recommended that you do not deploy this sample Telnet server on a public network such as the Internet.
Microsoft recommends that you carefully review the code and the security needs for the target deployment, and, if necessary, add more security infrastructure before distributing this functionality in a release product.
Best Practices
Set the User List and Domain variables to prevent attacks on your device by unauthorized users
If Telnet Server is used without appropriate values set for the User List and Domain variables, your Telnet server will be vulnerable to attacks by unauthorized users. These variables are not set by default. An unauthorized user must only guess the device's password, the way it is set in Control Panel, to obtain access to the server.
To prevent such an attack, the user name in the UserList registry value must be set for each of the servers that are currently running. The user will then need to log in with the specified user name and appropriate password to use the server.
You can set the domain variable in the DefaultDomain registry value, which is located under the HKEY_LOCAL_MACHINE\Comm\Redir registry key. For more information on this registry value, see Windows Networking API/Redirector Registry Settings.
If the DefaultDomain registry value is not set, Windows Embedded CE uses the local user database to set the domain variable. You can use the NTLMSetUserInfo function to add user information to the local database.
Enable a firewall on your network device
For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows Embedded CE Firewall on the network device. For more information about the Windows Embedded CE IP Firewall and how to configure it, see Firewall.
For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.
Modify the telnet client to be more secure
Because the source code to the Telnet client ships with Windows Embedded CE, there are several things that you can do to improve the security of the device:
- Set the telnet root to a directory without any sensitive files. The telnet log data is written to files on the telnet root directory, so setting the root to a known safe directory will prevent Telnet access to other directories.
- Disable unneeded Telnet commands. For the logging feature, you only need to enable the Quit command.
- Write the Telnet log-in and log-out events to the troubleshooting log file.
In order to make the preceding changes, copy the telnet source code, modify it to restrict its functionality as described above, and compile it.
Above all, be aware that the telnet client is intended to be used for development, debugging, and sample deployments, and should not be deployed commercially without a rigorous security update.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications, you will find a Security Note in the registry settings documentation.
For Telnet Server registry information, see Telnet Server Registry Settings.
Ports
The Telnet server uses port 23 as a default port to receive Telnet connections. This value can be changed or extra ports to be listened on can be added. Telnet Server uses Services.exe to listen for incoming connections. Services.exe can listen on any IPv4 or Ipv6 port. For more information, see Registering a Super Service Automatically.
See Also
Concepts
Telnet Server Registry Settings