You can do this a number of ways. For instance, if the remote computer supports terminals, you can connect to it over the network as if you were connecting to it via a terminal. You may also be able to send a single command to the remote computer for it to execute (remote execution). Finally, you may be able to get a connection that includes graphics. This chapter discusses the protocols used for these various kinds of connections.
icrosoft's Remote Access Service (RAS) provides remote access to a network, not to an individual host, and is not discussed in this chapter; instead, it is discussed in Chapter 14, "Intermediary Protocols", along with other protocols used for connecting networks, including PPP and PPTP.
Windows 2000 includes both the client and the server; Windows NT 4 includes only a Telnet client, but Telnet servers for it are available from third parties or as part of the Windows NT Resource Kit.Although remote terminal access is the most common use of Telnet, most Telnet clients support the specification of arbitrary port numbers to access text-based TCP services at other ports. This is useful if you have a service for which you don't want to distribute a dedicated client; for example, it's often used to give access to MUDs (Multi-User Domains) and MOOs (Multi-user domains, Object Oriented), which are multi-user environments for games, collaborative work environments, or chat areas. Telnet clients are also used fairly often for debugging protocols that are normally accessed by dedicated clients. For example, people will check SMTP servers or verify usernames by using telnet hostname 25 to connect to the SMTP server directly on port 25 and type SMTP commands to it. It's important to understand that, although you may be using the program named telnet for these purposes, all it's doing is opening a simple TCP connection to the specified port number. The telnet program doesn't initiate the Telnet protocol (which provides for things like option negotiation between client and server, line-at-a-time and character-at-a-time modes, and so on) unless it is talking to a server on the standard Telnet port (port 23). This section discusses only the use of Telnet clients to access Telnet servers.
Although Telnet does not initiate negotiation except when talking to port 23, most Telnet clients will still respond to negotiation requests, which can be used by servers to detect people using Telnet instead of standard clients (for instance, people using Telnet to port 25 to attempt to forge email).Incoming and outgoing Telnet have very different security implications. Most sites want to allow their users access to outgoing Telnet service, so their users can get to command shells and information services provided via Telnet on remote systems on the Internet. (Figure 18-1 illustrates outbound Telnet.) On the other hand, most sites don't want to allow (or want to allow but very strictly control) incoming Telnet access to their site.
Users should be warned to use different passwords on external hosts from those they use on your hosts. When they make outgoing Telnet connections, their passwords may be sniffed. (See Chapter 21, "Authentication and Auditing Services", for more information about passwords and password sniffing.)
When both ends of the connection are running Windows 2000, and NTLM authentication is possible between them, Telnet can use NTLM authentication. In this case, authentication will take place outside the Telnet connection without passing cleartext password or username information. For more information about NTLM authentication, see Chapter 21, "Authentication and Auditing Services". The Telnet server and client may be configured to always use cleartext authentication, to attempt NTLM authentication and fall back to NTLM authentication, or to require NTLM authentication.
In addition, the Windows 2000 Telnet server can be configured to allow only users with local accounts or to allow users with domain accounts.
|Incoming session, client to server|
|Out||Int||Ext||TCP||23||>1023||Yes||Incoming session, server to client|
|Out||Int||Ext||TCP||>1023||23||||Outgoing session, client to server|
|In||Ext||Int||TCP||23||>1023||Yes||Outgoing session, server to client|
|17.7. Related Protocols||18.2. Remote Command Execution|
Copyright © 2002 O'Reilly & Associates. All rights reserved.