6

Yesterday I needed a telnet client to connect to my ADSL router and none of the three Windows Seven computers at my home had it(Win Home Premium 32 PC, Win Professional 64 notebook and Win Ultimate 32 notebook). Fortunately, looking for a way to install telnet again at my machine(the one with Win 7 Prof.) I found an aswear here on SU(just for reference).

This makes me wondering why would Microsoft disable telnet on Windows Seven. As far I remember, it was present and active on Windows Vista and XP on all versions and SKUs.

Should this be for any reason linked to security threat, I mean, could Microsoft be worried about users security on using a telnet client? Wouldn't it be just on a telnet server? There is a true explained reason to that?

Community
  • 1
Diogo
  • 30,192
  • 65
  • 150
  • 222
  • Why do you believe it was dropped for security reasons? Why not just the simple fact that almost nobody needs a Telnet client anymore since almost everything has switched over to SSH or HTTP/HTTPS? The people that do need a telnet client almost always want one with more functionality then the built-in crappy client you got with earlier versions of Windows. – Zoredache Mar 13 '12 at 22:58
  • 1
    There is another use for a telnet client: to troubleshoot connectivity issues with local and remote running software. – RCross Dec 19 '15 at 08:32

3 Answers3

6

Having a telnet client isn't a threat in itself, if you're using it within your local network. Telnet was disabled in Windows 7 because it sends usernames and passwords in the clear for authentication. See this thread.

Running a server could constitute a legitimate security risk, but that isn't what you're doing so don't worry about it.

Community
  • 1
Fopedush
  • 2,002
  • 5
  • 20
  • 36
  • 1
    *> Telnet was disabled in Windows 7 because it sends usernames and passwords in the clear for authentication.*   By that token, a web-browser is bad if you enter credit-card info on a site that does not encrypt the connection. Of course if telnet is completely incapable of encrypting a connection… – Synetech Mar 13 '12 at 22:13
  • @Synetech so you think a web browser is not bad if it lets you enter sensitive information on a non secure site, without giving you any warning? Of course it's bad, that's why they started showing a danger icon to the left of the address bar in case of unavailable HTTPS, or warning pages when the SSL certificate is non valid or expired. – Redoman May 09 '21 at 00:30
  • @jj_ I see you misunderstood (read interpreted 180° backwards) what I was saying, but that's a common risk of plain text. Regardless, the Internet has changed a lot in the past decade, so comparing it to now is a pointless either way. – Synetech May 10 '21 at 01:05
2

Telnet is disabled by default on Windows7 for the simple reason that it is sometimes used as a callout mechanism by malware, and is generally not used by ordinary users, and thus a good candidate for disabling-by-default.

Telnet client is not a security risk in-and-of-itself - although you can certainly turn it into one by sending usernames and passwords to servers which will transmit unencrypted over the network.

SecurityMatt
  • 3,140
  • 16
  • 21
  • 1
    *> Telnet is disabled by default on Windows7 for the simple reason that it is sometimes used as a callout mechanism by malware*   Is that a server or client? – Synetech Mar 13 '12 at 22:14
  • 2
    What malware author can't manage to write the code to open a simple tcp socket? – Zoredache Mar 13 '12 at 22:59
  • @Synetech: The callout mechanism is from the Windows2000 era when malware would fire-up the local telnet server connected to CMD.EXE so the malware author could just telnet in to your machine and be immediately given a command prompt – SecurityMatt Mar 13 '12 at 23:58
  • @Zoredache: Managing and maintaining a TCP socket in x86 assembly is harder than doing an exec("telnet -l > cmd.exe") in x86 assembly. – SecurityMatt Mar 13 '12 at 23:59
  • Fundamentally though, the point is that if a program isn't in use by 99% of your users and it opens up attack surface to make them potentially more vulnerable, you shouldn't have it on by default - and that's why Microsoft have all of those services off-by-default. – SecurityMatt Mar 14 '12 at 00:01
1

The real problem is that Telnet will send all your authentication details (username and password) is clear text, this means anyone with a packet sniff will EASILY be able to see your username and password. Microsoft disabled Telnet by default so that an everyday user will not stumble on to the Telnet feature. There is no security risk in installing Telnet, as it is just used to initiate a remote connection.

Taylor Gibb
  • 2,609
  • 16
  • 17