Best practices

• Provide user-level security
  To control the access that Telnet users have to files on the server, use only NTFS file system on the system partition. Create a TelnetClients group and add all Telnet users to that group. You can then assign file and directory permissions to that group to control members' access to the files and directories.
• Avoid using plaintext authentication
  If you configure Telnet Server to use plain-text authentication, an attacker who can intercept network traffic will be able to obtain users' passwords. To maintain maximum security, use only NTLM authentication to authenticate Telnet clients, because NTLM authentication encrypts passwords before sending them.
• Protect configuration files
  Telnet Server relies on the following files:
  • %windir%\system32\login.cmd
  • %windir%\system32\termcap
  By default, these files inherit their permissions from the parent folder. To ensure that unauthorized users cannot tamper with these files and compromise Telnet Server security, ensure that they are protected with a discretionary access control list (DACL) that grants the following permissions and no others:
  • SYSTEM: Full Control
  • Administrators: Full Control
• Allow users to disconnect before stopping the service
  Before you stop Telnet Server or uninstall it, send a message to Telnet client sessions that you are about to stop the service. You can then stop the service after the users have had the opportunity to close their sessions. For more information, see Send a message to one or more sessions.
• Ensure that the client code page matches the code page of the remote terminal
  If users will be connecting to Telnet Server from computers running an internationalized operating system (such as a version capable of supporting European languages), you should ensure that the code page used by the command shell can display extended characters properly. To set the code page for all users when they log on, edit %systemroot%\system32\login.cmd to add the chcp command to set the appropriate code page. For example, to support English and Western European UNIX, add the command chcp 1252.