Microsoft KB Archive/231953

= How to Restrict Permissions for Telnet Users with Services for UNIX Telnet Server =

Article ID: 231953

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Server 4.0 Standard Edition, when used with:
 * Microsoft Windows NT Services for UNIX Add-On Pack

-



This article was previously published under Q231953



SUMMARY
This article describes how to restrict permissions for Telnet users with Services for UNIX Telnet Server.



MORE INFORMATION
Telnet allows users to gain access to resources on your Telnet servers. It is important to review your security policy and implement appropriate protection.

NOTE: Microsoft recommends using the NTFS file system when you use Telnet with Services for UNIX. The file allocation table (FAT) file system provides no file-level security and may present serious security risks.

To restrict permissions to certain files or folders:
 * 1) Create a local group and name it TelnetUsers.
 * 2) Give the TelnetUsers group No Access permissions for all files and folders on drives C and F. (The Windows NT folder (%SystemRoot%) is located on drive C, and the TelnetUsers Home folders are located on drive F.)
 * 3) Give the TelnetUsers group Read and Add permissions to the %SystemRoot% folder. Set these permissions only to the folder, not to any files or subfolders.
 * 4) Give the TelnetUsers group Read permissions to the following files in the %SystemRoot%\System32 folder:
 * 5) * Rpcltc1.dll
 * 6) * Cmd.exe
 * 7) * Expand.exe
 * 8) * Help.exe
 * 9) * Pax.exe
 * 10) * More.exe
 * 11) * Ntlanman.dll
 * 12) Give the TelnetUsers group List permissions to the %SystemRoot%\System32 folder.
 * 13) For each user in the TelnetUsers group, specify a home folder of F:\Home\%Username%. Give each individual Full Control to his or her own folder and remove permissions for anyone else.
 * 14) Assign the TelnetUsers group List permissions to drive F.
 * 15) Connect to the Telnet server as a user to ensure everything functions properly. Run Cmd.exe from the shell prompt and see if you can change directories to the F:\Home folder or above. Change to the C drive and try to delete anything or read anything to which you do not explicitly have permissions.

If you need to track the files your users are touching or if you receive error messages after using the previously outlined steps, enable Security Auditing through "User Manager/Policies/Audit/File and Object Access both success and failure."

For additional information, please see the following article in the Microsoft Knowledge Base:

157238 How to Activate Security Event Logging in Windows NT 4.0

Additional query words: telnetd SFU

Keywords: kbinfo KB231953

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.