Networking

Telnet provides remote control of your Windows 2000 server

An emergency administrative task is in your court. You?re nowhere near your Windows 2000 server, but you do have your PDA handy. What do you do? Use Telnet, of course. Derek Schauland shows you how Telnet can act as a remote control for your server.


Universal remotes have made home entertainment a couch potato’s dream come true. That same technology is now the network admin’s dream come true as well. A remote control is built into your Windows 2000 server that works as a universal remote in reverse. It’s called Telnet. By configuring a Telnet server on your Windows 2000 server, you can remotely control your Windows 2000 server from many different workstations, whether they’re PCs running Windows, Linux, MacOS X, or OS/2. You can even use Telnet to give you the ability to access your Windows 2000 server from a PDA. I’ll show you how to set up and configure a Telnet server on your Windows 2000 server.

All text, all the time
One of the most important things to understand about Telnet is that it only provides command-line control over your Windows 2000 server. None of your GUI programs will run from a Telnet session. This isn’t necessarily a bad thing. Often, the most efficient way to get to the bottom of the task at hand isn't through an overcrowded GUI interface. When you're trying to accomplish a quick and simple task, you don’t need to load a resource intensive application when, instead, you can use a text-based utility to get the job done. This is what Telnet provides, a quick command-line based utility for remotely accessing systems on your TCP/IP network.

Because Telnet is text-based, it’s much more open to nonWindows operating systems such as Linux or OS/2. The lack of a GUI also makes Telnet a whole lot faster than GUI remote control software such as pcAnywhere or Windows’ own Terminal Services client. Only text travels over the remote connection, not graphics. Graphical elements are much slower to transfer than strict text.

Starting Telnet
Telnet has been sitting on your Windows 2000 server since the day you installed it, but you’ve probably never used it. Telnet is a TCP/IP service that Windows 2000 loads at installation time, but the service is disabled by default.

You can start and stop Telnet from the Services MMC on your Windows 2000 server. Click Start | Programs | Administrative Tools | Services to start the MMC. When the Services MMC starts, scroll down through the list of running services until you see Telnet. Start it by right-clicking Telnet and then clicking Start. To stop it, right-click Telnet and click Stop.

If you want Telnet to start automatically when your server boots, right-click Telnet and select Properties. You’ll then see the Properties page for Telnet appear, as shown in Figure A. Select Automatic from the Startup drop-down list box.

Figure A
You can configure Telnet to start automatically when your server boots.


After Telnet is up and running, you can administer Telnet on your Windows 2000 server using the Telnet Server Admin program. To start it, go to a command prompt on your server, type tlntadmnand press [Enter]. When you do, you’ll see the screen shown in Figure B.

Figure B
Telnet Server Admin helps you administer Telnet on your server.


As you can see, the tlntadmn menu is very simple. There are no commands to enter. Just press the number for the appropriate command you want to execute. For example, to stop the Telnet service, press 5. To restart it, press 4.

Even though most of the options are self-explanatory, I’ll briefly explain them to avoid any confusion. Naturally, if you press 0, tlntadmn will stop and you’ll return to the command prompt.

Press 1 to view a list of users who are currently connected to your Telnet server, broken down into the following columns:
  • Username: The name of the user ID using Telnet
  • Domain: The name of the domain logged into
  • Remote machine: The TCP/IP address of the remote machine
  • Session ID: The logged in session number for the user
  • Logon time: The time the user logged into Telnet

You can force a user off of your server by pressing 2. When you see the Please Enter Session ID Of User Whose Session You Wish To Terminate prompt, enter the session ID number that you find when using menu option 1 above. The user’s connection will immediately be terminated from your server.

Customize how you can connect to the Telnet server by using the submenus you'll find by pressing 3. Even though option 3 says that you’re displaying and modifying the registry, don’t panic. You’re not actually accessing your server’s registry as you would if you were using Regedit. This menu option only allows you to change registry entries associated with Telnet.

When you press 3 from the main menu, you’ll see the Select One Of The Following Options menu, which lists all of the registry keys you can change. When you first select any of the options, you’ll see the current setting for the key. You’ll also see your available options for the key. Your options at this point include:
  • AllowTrustedDomain controls whether users must belong to a trusted domain to access the Telnet server. The default value for AllowTrustedDomain is 1. This value of 1 allows access to domain users from domains with a trust relationship to your server. A value of 0 does not allow access to domain users. It only allows local users.
  • AltKeyMapping controls how the [Alt] key works for terminals that don’t have an [Alt] key. Though this only works with VT100 terminals, the value of a 0 allows for [Ctrl]A to be treated as [Ctrl]A, whereas the value of 1 allows for [Ctrl]A to be treated as [Alt].
  • DefaultDomain controls the domain that authenticates the user ID entered at the Telnet logon prompt. It may be set to any domain that has a trust relationship with this server. Unless you have a good reason for doing so, leave this key alone.
  • DefaultShell allows you to modify of the location of the shell that the user uses when logging on to the server. By default, Windows 2000 uses Cmd.exe, which is the standard Windows 2000 command-line shell. You can change this to a UNIX shell if you prefer.
  • LoginScript sets a login script for the Telnet session. You can’t directly enter login script commands. You can only point to a predefined login script file.
  • MaxFailedLogins allows you to specify the number of failed logons allowed before the user cannot log on. The default value is 3.
  • NTLM will allow you to specify authentication options for the system. NTLM authentication causes Telnet to use a challenge/response system with the client before allowing it to connect to the server. If you don’t want to use NTLM authentication, specify a 0 for this value. Setting this value to 1 causes Telnet to first try NTLM authentication. If it fails, Telnet uses a clear text username and password combination. Lastly, setting the value to 2 will only employ NTLM authentication. Setting NTLM authentication can greatly increase security for your Telnet sessions, but it can cause nonWindows operating systems to be unable to connect to the server.
  • TelnetPort allows you to define the TCP/IP port Telnet uses. By default, Telnet uses port 23. You can change this to any available TCP/IP port. Because port 23 is a commonly known port number for Telnet services, hackers will look for port 23 to be open. If you move the Telnet port to a different location, hackers won’t find it as easily.

The last two options in the Telnet Server Admin are Start The Telnet Service (option 4) and Stop The Telnet Service (option 5). Any time you change any of the registry settings in option 3, you must stop and restart the Telnet service to make the change take effect.

When you start the service, Telnet will display a wait message, such as Starting Microsoft Telnet Service. Once it has started, you’ll see a message stating that the start was successful. If the start command fails because Telnet service is running already, you'll see an error message similar to this:
Error: StartService
Error Number: 0


When you stop the service with choice 5, you'll also see a wait message and you'll receive a Connection Lost To Host message followed by a note telling you to press any key to continue.

Making the connection
After you’ve enabled Telnet on your server, you should test it from a workstation to ensure that your server will be accessible when you need it. Telnet clients vary from workstation to workstation, so I can’t give you specific instructions about how to make the connection. Generally, you make the connection to your Windows 2000 server by specifying the server’s IP address and selecting a terminal emulation to use. The most common emulation is VT100, although other terminal emulations such as VT220 or ANSI will work as well.

When you first connect to the server, you’ll have to log on. If you’ve enabled NTLM and try to connect via a nonWindows client, the Telnet server will instantly disconnect the session. Otherwise, you’ll have to provide a username and password for a valid user on the server. As you can see in Figure C, a Telnet session looks just like a command prompt from your Windows 2000 server. (This screen was generated on an OS/2 workstation connected to a Windows 2000 server’s Telnet server to demonstrate Telnet’s flexibility.)

Figure C
Any workstation with a Telnet client can connect to your Windows 2000 server.


Once you’ve connected to your server, you can do anything that you can do from your server’s console prompt—except start GUI programs. You can use the START and STOP commands to start and stop services. You can also use NT commands to administer your server.

As a practical example, think how Telnet might make life easier with menu-based commands and text editing when you’re not near your administrative workstation. Picture this: You're sitting in a meeting when you receive a page or an e-mail saying that someone in upper management has lost his or her password. Rather than leave the meeting, you quickly Telnet into the Windows 2000 server using your PDA and use the NET USER command to change the password. Then you e-mail the user the new password. All without having to leave your meeting.

Pass the remote, please
Universal remotes are all the rage when it comes to televisions and other home theater equipment. Now a similar technology can help you cut down on the amount of hands-on administration that you need to do. After you configure Telnet on your server, you can log onto your server from practically anywhere and do things just as easily as you could if you were standing right in front of it. Make sure you take the time to secure Telnet from hackers, and you’ll have an immensely useful tool in your administration arsenal.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

Editor's Picks