Telnet Server Security (Windows CE 5.0)
The Telnet Server included with Windows CE is a sample intended to show you how to create networking services that interact and register with Services.exe. The Telnet Server sample is also useful for device bring-up and debugging.
The Telnet server is included as a teaching tool but not for commercial distribution without further modifications. The security on the Telnet sample is very light and vulnerable to security attacks. Even if your Telnet server is configured to require password authentication, the password is sent in plain text across the network and is therefore vulnerable to packet sniffing. A malicious user could obtain the password to the device by watching packets sent back and forth between the Telnet sample and the client during the authentication stage. If a malicious user could log on to the device, they would have complete control over it. This could involve deleting or modifying key system files and the registry.
Because of these serious security risks, it is strongly recommended you only run the Telnet sample for development and debugging purposes, on a controlled, private network where you trust the users. It is strongly recommended that you do not deploy this sample Telnet server on a public network such as the Internet.
Microsoft recommends that you carefully review the code and the security needs for the target deployment, and, if necessary, add more security infrastructure before distributing this functionality in a release product.
Best Practices
Set the User List and Domain variables to prevent attacks on your device by unauthorized users
If Telnet Server is used without appropriate values set for the User List and Domain variables, your Telnet server will be vulnerable to attacks by unauthorized users. These variables are not set by default. An unauthorized user must only guess the device's password, the way it is set in Control Panel, to obtain access to the server.
To prevent such an attack, the user name in the UserList registry value must be set for each of the servers that are currently running. The user will then need to log in with the specified user name and appropriate password to use the server.
You can set the domain variable in the DefaultDomain registry value, which is located under the HKEY_LOCAL_MACHINE\Comm\Redir registry key. For more information on this registry value, see Windows Networking API/Redirector Registry Settings.
If the DefaultDomain registry value is not set, Windows CE uses the local user database to set the domain variable. You can use the NTLMSetUserInfo function to add user information to the local database.
Enable a firewall on your network device
For enterprise environments, Microsoft recommends the use of a network firewall with intrusion protection, such as Microsoft Internet Security and Acceleration (ISA) Server. For more information, visit this Microsoft Web site.
For non-enterprise environments or for added protection, Microsoft recommends that you include and configure the Windows CE Firewall on the network device. For more information about the Windows CE IP Firewall and how to configure it, see Firewall.
For information about configuring the IP firewall to properly manage traffic destined for the internal network, see IP Firewall Reference.
Default Registry Settings
You should be aware of the registry settings that impact security. If a value has security implications you will find a Security Note in the registry settings documentation.
For Telnet Server registry information, see Telnet Server Registry Settings.
Ports
The Telnet server uses port 23 as a default port to receive Telnet connections. This value can be changed or extra ports to be listened on can be added. Telnet Server uses Services.exe to listen for incoming connections. Services.exe can listen on any IPv4 or Ipv6 port. For more information, see Registering a Super Service Automatically.
See Also
Telnet Server | Telnet Server Registry Settings | Enhancing the Security of a Device
Send Feedback on this topic to the authors