Unlike previous chapters, this chapter is not about an application that can be used to publish information on the Internet. Instead, it's about an NT service that can be used to make remote-system administration easier. By setting up a telnet service, you will be able to access your server for various system administration tasks from anywhere on the Internet. The chapter begins with a brief discussion about various advantages and drawbacks of setting up a telnet server. Afterwards, you will be presented with a list of telnet servers available for Windows NT. Out of these telnet servers, installation and configuration issues of Pragma Systems InterAccess telnet server will be discussed. Pragma Systems telnet server was chosen because it is robust, supports screens larger than 80 ¥ 24, and all aspects of the server can be administered via an easy-to-use graphical-user interface (GUI). It is also easy to install and configure by designating user-command shells, home directories, and shell-initializing programs. If you need information about other telnet servers listed in this chapter, please visit their respective URLs. All aspects of setting up, configuring, and administering the InterAccess telnet server will be discussed shortly. After completing this chapter, you will be able to compare features of other telnet servers with those of InterAccess and select the telnet server that best suits your needs.
Unlike the command prompt of various flavors of UNIX, Windows NT's command prompt is not very powerful. However, there are a number of ways to extend the capabilities of Windows NT's command prompt. For example, it is possible to define a special shell such as the Hamilton C Shell for Windows NT, to be used by the telnet server. By using such a command shell, you will be able to make use of powerful command-line utilities to make system-administration and -maintenance tasks easier to handle.
Before various telnet servers available for Windows NT are discussed, let's first examine why you should set up a telnet server.
There are many advantages in setting up a telnet server. For example, a telnet server can be used to access your server remotely from virtually anywhere on the Internet. It is possible to use Remote Access Service (RAS) or a third-party, remote-access program to connect to an NT machine, but depending on availability of hardware, software, and other factors, you might not be able to access your server at all times. On the other hand, telnet clients are widely available; all that's usually needed is access to the Internet.
Because the telnet protocol uses clear text usernames and passwords to authenticate users, there are various security risks associated with setting up a telnet server. However, in a later section of this chapter you will be shown how to implement a solution to this problem. Although the solution presented is not very elegant, it will make sure that even if someone obtains a username and password by eavesdropping on a telnet session, the password will become useless the moment a user is authenticated. This is accomplished by using a Practical Extraction Report Language (PERL) script to implement One-Time Passwords (OTP) when users telnet into the NT server. More information about this is provided later in this chapter, in the section, "Addressing Security Concerns." Although Windows NT is an operating system that extensively uses GUIs, a number of tasks can be performed using the NT command prompt. By using various command-shell extenders, NT Resource Kit programs, and other utilities, capabilities of the NT command prompt can be further extended. Listed next are a few tasks that can be accomplished by accessing your NT machine via a telnet server.
As you can see, there are many advantages to setting up a telnet server. Soon after security concerns and various telnet servers available for NT are discussed, you will be shown how to set up a telnet server and customize it to meet your needs.
At the time of this writing, all telnet servers available for Windows NT use clear-text passwords to authenticate users. Although some UNIX systems use more sophisticated user-authentication systems that validate users using a challenge/response mechanism, this feature is not yet available in telnet servers for Windows NT. It is not very desirable to use clear-text user IDs and passwords, because this can compromise the security of your NT server; a person with malicious intent can log on to your server using an intercepted username and password. To avoid such a possibility, the section "Addressing Security Concerns" will demonstrate a technique that can be used to implement OTPs on your telnet server. When OTPs are used, eavesdroppers will not be able to use user IDs and passwords of legitimate users to gain access to your server; one password is good for only one login. However, the implementation of OTPs presented in a later section is not very elaborate. Soon, you will discover what I mean by not very elaborate; however, what I am proposing is certainly better than using clear-text user IDs and passwords without any additional security.
Listed next are URLs of several telnet servers available for Windows NT. Out of these telnet servers, this chapter will discuss installation, configuration and administration issues of Pragma Systems, InterAccess Telnet server. You may obtain information about other Windows NT telnet servers by visiting their respective URLs:
After learning more about the InterAccess telnet server, you will be able to compare features of it with those of other telnet servers and select the server that best meets your needs.
The InterAccess telnet server listens for incoming telnet connections on port 23. When a user connects to the telnet server, he or she is authorized with a username and a password. (See Fig-ure 29.1.)
When a user is authenticated, he or she is presented with the Windows NT command prompt (CMD.EXE). You will be shown how to customize login prompts and change the default command shell in a later section of this chapter.
You need to be logged on as either the system administrator or a user with administrative rights in order to install the InterAccess telnet server. The server can be installed by executing the setup.exe file and specifying the directory you would like the telnet service to be installed in. When installation is complete, a new program group similar to the one shown in Figure 29.2 is created.
After the program group shown in Figure 29.2 is created, execute the INETD icon to start the telnet server. As shown in Figure 29.3, by default, the telnet server is set to start automatically after your system is booted. By going into Control Panel and executing the Services application, the telnet server can be set to start manually, if so desired. The telnet service consumes negligible system resources; the section "Addressing Security Concerns," will deal with security issues associated with running a telnet server. Therefore, it is recommended that you leave this setting as it is.
As shown in Figure 29.4, the InterAccess installation process also adds a new icon to the Control Panel. This icon, called Pragma Inetd, can be used to configure various programs to be started by the Inetd service.
Before users can log on using the telnet server, they need to be assigned the Windows NT user right Log On Locally. This right is assigned by invoking User Manager, choosing users who need telnet access and selecting Policies|User rights from the pull-down menu. You then will see the User Rights Policy dialog box shown in Figure 29.5. The user right Log On Locally can be selected from the pull-down list that lists various user rights. Afterwards, by clicking on the Add button, users or user groups can be given permission to access an NT machine via telnet.
Figure 29.5: The right Log On Locally can be assigned to a user or user group by using User Manager.
It might be easier for you to create a group called Telnet Users and assign the user right Log On Locally to this user group. You then will be able to easily control who has access to your server via telnet by examining members of the Telnet Users group.
The InterAccess telnet server can be customized by making changes to the registry, as shown in Figure 29.6.
The following key contains the directory in which InterAccess is installed. This registry key should not be changed unless the InterAccess directory is moved.
\\HKEY_CLASSES_ROOT\InterAccess\Path
A greeting message can be specified by modifying the following registry key. This greeting will be displayed when a user connects to the telnet server:
\\HKEY_CLASSES_ROOT\InterAccess\TelnetdGreetingMessage
The greeting message is a multiline key. Because the value of this key is displayed before a user is authenticated, it can be used to provide an e-mail address or a phone number to contact if assistance is needed.
As you can see in Figure 29.1, login name: is the default user login prompt, and password is the default password prompt. These two prompts can be customized by modifying the following two registry keys:
\\HKEY_CLASSES_ROOT\InterAccess\TelnetdLoginNameMessage \\HKEY_CLASSES_ROOT\InterAccess\TelnetdPasswordMessage
The InterAccess server can be configured to use a shell of your choice. By default, the Windows NT command shell, CMD.EXE, is used. If you are more comfortable with a shell such as the Hamilton C-Shell for Windows NT, you can specify that shell to be used as the default user shell by modifying the following registry key:
\\HKEY_CLASSES_ROOT\InterAccess\TelnetdUserShell
Any character-based program that's compatible with Windows NT can be used as the user shell.
A shell-initialization file can be specified in the registry. Just like the autoexec.bat file in DOS, this file is automatically executed each time a user logs on via the telnet server and can be used to set user-environment variables and execute programs.
\\HKEY_CLASSES_ROOT\InterAccess\TelnetdUserShellInitializer
This key will be used in a later section to implement OTPs on your server.
The InterAccess server uses home directories specified in the Windows NT account database. The directory c:\ will be assumed if no home directory is specified for a user.
Home directories can be specified and changed using User Manager. After invoking User Manager, users to which you wish to assign a home directory can be selected. More than one user can be selected by pressing the Ctrl key and clicking on multiple users. After selecting one or more users, select Users|Properties to bring up the User Properties dialog box shown in Figure 29.7.
To specify user home directories, click on the Profile button in the dialog box shown in Figure 29.7. You then will be presented with a User Environment Profile dialog box similar to the one shown in Figure 29.8. User Home directories can be defined using this dialog box by typing the full path name of the user's home directory. If more than one user was selected, an implicit path name such as I:\Users\%USERNAME% can be specified in this dialog box as shown in Figure 29.8.
When setting up any Internet service, security is a major concern. Because the telnet server presents users with a command prompt after validating a username and a password, precautions must be taken to keep a person with malicious intent from accessing your server using an intercepted username and password.
Because the InterAccess server does not implement One-Time Passwords (OTPs) or achallenge/response mechanism to authenticate users, using clear-text user IDs and passwords can seriously compromise the security of your server.
One solution to this security nightmare is to implement OTPs on your telnet server. In the next section, a mechanism for implementing OTPs on your telnet server is given. In order for this to work, users should be given a list of valid passwords; each password is good enough for only one login. These passwords are saved in a text file and are used by a PERL script to change the user's password as soon as a user is authenticated to log on. You do not have to know how PERL scripts work to implement this PERL script. Full source code of the PERL script is given in the "PERL Script for Implementing One-Time Passwords" section. If PERL is not already installed on your system, refer to Chapter 16, "Introduction to Windows NT CGI Programming," to learn how to obtain and install PERL for Windows NT.
Although it might be cumbersome to create this password file and
print a copy of it to users who will be accessing your telnet
server, it's far better than compromising the security of your
NT server. Many people are only all too familiar with the two
commands del *.* and format.
Security |
Because passwords of accounts used to access the telnet server may change often, it is recommended that separate telnet access accounts be created for users who use the telnet server. |
Listed next is a simple PERL script to implement OTPs on the NT server. In order for this script to work, PERL needs to be installed on your server. If you have not installed PERL on your system already and need assistance installing it, please refer to Chapter 16, "Introduction to Windows NT CGI Programming." For your convenience, the following PERL script is included in the CD-ROM that accompanies the book.
# PERL OTP implementation for NT telnet server # By Sanjaya Hettihewa and John Salmi # Please change the following to the name of your # password file as described in Chapter 29 $File = "passwords"; # Open the password file for reading open( INPUT, "$File" ) || die( "$File: $!\n" ); # Read contents of the password file into an array # ( memory ) @Array = <INPUT>; # Close the password file after reading it close( INPUT ); # Reverse the order of the lines in the password file for each ( @Array ) { push( @Array2, pop( @Array )); } # Free up memory used by Array undef @Array; # Execute command that changes the password system( pop( @Array2 )); # Reverse the order again, minus the line just executed for each ( @Array2 ) { push( @Array, pop( @Array2 )); } # Rewrite contents of original file, minus the line executed open( OUTPUT, "> $File" ) || die( "$File: $!\n"); print( OUTPUT @Array ); close( OUTPUT );
After copying this file to home directories of users who will telnet to your server, change the line $File = "passwords" to the name of your password file (the filename is enclosed within quotation marks). An absolute path name has to be used if this file is not located in the user's home directory. The PERL script then executes the first line of the password file and deletes it from the file. Let us now examine the format of the password file.
The preceding PERL script takes advantage of the fact that user passwords can be changed from the Windows NT command prompt with the following command:
NET USER <user_name> <password>
where <user_name> is the name of the user you wish to change the password of, and <password> is the new password. The password file is simply a list of NET USER <user_name> <password> commands. The PERL script always executes the first line of this file and deletes it from the file. For example, if the password file is identical to the following listing:
net user carina 1 net user carina 12 net user carina 123 net user carina 1234 net user carina 12345
each time Carina logs on to the NT server via telnet, the PERL script will change her password by executing the first line of the password file. After this line is executed and a new password is set, that line will be deleted from the password file. For example, the first time Carina logs on, her password will be changed to 1, the second time to 12, and so forth. Because someone eavesdropping on a telnet connection never sees this file being executed by the PERL script, there is no way for an eavesdropper to use the same password used to access the system or find out what the new password is. Because a new password is always used by the PERL script, and a line is deleted from the password file, you should always see to it that there are enough passwords in the password file. It is a good idea to add at least 20 passwords to the password file, print a copy of it, and give it to users who will be connecting to your server.
When selecting passwords, you should make sure passwords that are chosen are not vulnerable to a dictionary attack. A dictionary attack uses a computer program to crack a user's password by repeatedly entering common words from a dictionary. When selecting passwords, make sure they are hard to guess by using alphanumeric characters along with other characters, such as those used to punctuate sentences.
The shell-initializing file is automatically executed as soon as a user is validated and logged on to your NT server. By adding the PERL script mentioned earlier to the shell-initialization file, the moment a user logs on, the telnet server will execute the PERL script and change the user's password. Because other commands might take a while to complete, the PERL script should be the first command in this file. Listed here is a sample shell-initialization file:
@ECHO OFF ECHO OTP passwords are enabled ECHO About to change your password perl PasswordChange.pl ECHO Your password has been changed
In Figure 29.9, you can see how the shell-initialization file gets executed as soon as a user logs on via the telnet server. The name of the shell-initialization file can be specified by modifying the registry, as demonstrated earlier.
Because InterAccess uses the Windows NT security database to authenticate users, by using User Manager it's possible to allow access to your server via telnet only during certain hours of the day, as described in Figure 29.10. Access can be restricted during certain hours or days by invoking User Manager, choosing Users, and selecting User|Properties. You then will be presented with a dialog box similar to the one shown in Figure 29.10.
It is a good idea to allow telnet server access only when it is needed. For example, if the telnet server will be used only during regular business hours, access to your server can be restricted during off-business hours.
The Telnet Manager icon shown in Figure 29.2 can be used to administer the InterAccess telnet server. Telnet Manager is an easy-to-use, graphical application for managing users connected to any Windows NT machine on the Internet running the InterAccess telnet server. In order to use Telnet Manager, you need to be the system administrator or a user with administrative rights. After invoking the Telnet Manager application, before administering a telnet server, you need to connect to a machine that runs InterAccess. This is done by selecting Manage|New Machine from the menu bar. After selecting New Machine, you will be presented with a dialog box similar to the one shown in Figure 29.11. In this dialog box, type the Internet address of the computer you wish to administer.
After typing the Internet address, click on the OK button to continue. Next, you will be presented with a User Verification dialog box similar to the one shown in Figure 29.12. Use this dialog box to type in the user name and password of the system administrator or a user account with administrative permissions.
After providing a valid username and a password with administrative rights, the Telnet Manager will connect to the server you wish to manage and present you with a list of users logged on to that server. As you can see in Figure 29.13, this list contains usernames of users connected to the telnet server along with the time they logged on. Because this listing does not get updated automatically, View|Refresh needs to be selected to obtain the most up-to-date list of users logged on.
Additional information about a user, such as the process ID of the connection and the machine the user is connecting from, can be obtained by double-clicking on a user listed in Telnet Manager. The information you receive after double-clicking on a user is shown in Figure 29.14.
Figure 29.14: Additional information about a user listed in Telnet Manager.
By choosing a user and selecting User|Logoff, it is also possible to disconnect users from the telnet server.
The InterAccess telnet service can be uninstalled by executing the Uninstall InterAccess icon shown in Figure 29.2. To prevent users from losing their work, they should be given a chance to complete it and disconnect from the telnet server before commencing the uninstall process. In the unlikely event you encounter problems with the uninstall program, follow these directions to manually uninstall the telnet service:
By reading this chapter, you learned about various issues that need to be addressed when setting up a telnet server. The chapter began with an introduction to how telnet servers work and a discussion of how you and your users can benefit from setting up a telnet server. Although only one telnet server was comprehensively covered, at the beginning of the chapter you were provided with a list of Windows NT telnet servers, along with their URLs. Out of these telnet servers, Pragma System's InterAccess telnet server was used to demonstrate how a telnet server can be set up under Windows NT. Virtually all aspects of utilizing and configuring the InterAccess server were covered to demonstrate how it can be customized to suit your needs.
Without compromising your server's security, you can now set up a telnet server on your system and configure it to meet your needs.
In previous chapters, you were shown how to set up a number of information-distribution applications under Windows NT. Although these applications can be used to distribute information, apart from the mail-list server discussed in Chapter 27, "Setting Up a Mail-List Server," none of the applications discussed earlier can be used to host Internet discussion forums. The next chapter demonstrates how to set up a Windows NT NNTP (Network News Transport Protocol) news server to do just this. You are probably already familiar with Internet newsgroups. Internet newsgroups are discussion forums set up on the Internet, where users with similar (or opposing) viewpoints can post messages and discuss various issues. Many newsgroups have been set up, discussing virtually everything imaginable. These newsgroups are hosted using NNTP news servers. There are many benefits to setting up your own news server. After you install and configure it, users will be able to exchange information and discuss various issues. If you are providing a service or selling a product, a news server can be used very effectively to provide customer service as well as technical support.
Although an Internet mail-list server similar to the one discussed in Chapter 27 can be used to create Internet discussion forums using e-mail, there are a number of drawbacks to this. Because there is no automatic archival of messages, it is often hard for users to locate a message that was sent to the list a few weeks ago. On the other hand, a news server can be configured to keep messages active for a certain period of time, allowing users to browse old messages and find out more about a topic previously discussed.
After reading the next chapter, you will discover how easy it is to set up a news server and use it effectively to distribute information and set up discussion forums on the Internet. After putting your news server to use, you will soon ascertain the virtues of setting up an Internet news server. As an added bonus, the next chapter also discusses when you should use an Internet mail-list server or a news server. The following chapter also highlights advantages and drawbacks to using the preceding two servers and discusses how they complement each other.