Microsoft Windows CE 3.0  

Authentication and Security Considerations

This is retired content. This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

The type of authentication that telnet uses varies, depending on which version of Windows CE you are running. The interface that is presented to the client browser is the same; the only difference is how the calls are handled internally.

If authentication is required, a prompt requesting the user's name and then password will be sent to the telnet client on establishing a connection. The password will not be echoed back to the client.

Note   In all versions of Windows CE that support the telnet sample, the password is sent in plain text across the network and is therefore vulnerable to packet snooping. A malicious user could obtain the password to the device by watching packets sent back and forth between the telnet sample and client during the authentication stage.

On Windows CE version 2.X, the password is checked against the password set on the system through the Password box in the Control Panel. On Windows CE 3.0 and later devices, the password is checked using NTLM authentication using the domain controller specified in HKEY_LOCAL_MACHINE\COMM\Redir\DefaultDomain. (However, the password itself is still sent unencrypted between the telnet client to the server.)

Another potential risk of using the Windows CE telnet sample is that if a malicious user could log onto the device, they would have complete control over it. This could involve deleting or modifying key system files and the registry.

Because of these serious security risks, it is recommended you only run the telnet sample on an internal network, where you trust the users. It is highly recommended you do notput this sample Telnet server on a public network such as the Internet.

 Last updated on Friday, April 02, 2004

© 2004 Microsoft Corporation. All rights reserved.