Back

Disable telnet unless telnet use is absolutely necessary.


CONTROL ID
01478
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Disable all unnecessary services unless otherwise noted in a policy exception., CC ID: 00880

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Telnet should be disabled. (Pg 87, Mac OS X Security Configuration for version 10.4 or later, second edition, Second Edition)
  • Only enable telnet if absolutely necessary. (§ 2.3, The Center for Internet Security AIX Benchmark, 1.0.1)
  • Title: Remove telnet Clients Description: The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an auth… (Rule: xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_2.1.2.1_services.telnet-client, The Center for Internet Security CentOS 6 Level 1 Benchmark, 1.0.0)
  • Only enable telnet if absolutely necessary. (§ 2.2, The Center for Internet Security FreeBSD Benchmark, 1.0.5)
  • Only enable telnet if absolutely necessary. (§ 2.2, The Center for Internet Security HP-UX Benchmark, 1.4.2)
  • Telnet should not be used for remote console access to the server, because it sends information over the network in clear text. (§ 5.5, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • Title: Remove telnet Clients Description: The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an au… (Rule:xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_2.1.2.1_services.telnet-client, The Center for Internet Security Red Hat Enterprise Linux 6 Level 1 Benchmark, 1.2.0)
  • Title: Remove telnet Clients Description: The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmission medium could allow an au… (Rule:xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients Artifact Expression:xccdf_org.cisecurity.benchmarks_ae_2.1.2.1_services.telnet-client, The Center for Internet Security Red Hat Enterprise Linux 6 Level 2 Benchmark, 1.2.0)
  • Only enable telnet if absolutely necessary. (§ 2.3, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.0.5)
  • Only enable telnet if absolutely necessary. (§ 2.3, The Center for Internet Security Red Hat Enterprise Linux Benchmark, 1.1.1)
  • Only enable telnet if absolutely necessary. (§ 2.3, The Center for Internet Security Slackware Linux Benchmark, 1.1)
  • Only enable telnet if absolutely necessary. (§ 2.19, The Center for Internet Security Solaris 10 Benchmark, 2.1.2)
  • Only enable telnet if absolutely necessary. (§ 2.2, The Center for Internet Security Solaris Benchmark, 1.5.0)
  • Only enable telnet if absolutely necessary. (§ 2.3, The Center for Internet Security SuSE Linux Enterprise Server Benchmark, 2)
  • Title: Ensure telnet server is not enabled Description: The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmissio… (Rule: xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_telnet_server_is_not_enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_5.1.6.1_services.telnet-server, The Center for Internet Security Ubuntu 12.04 LTS Level 1 Benchmark, v1.0.0)
  • Title: Ensure telnet server is not enabled Description: The telnet-server package contains the telnet daemon, which accepts connections from users from other systems via the telnet protocol. Rationale: The telnet protocol is insecure and unencrypted. The use of an unencrypted transmissio… (Rule: xccdf_org.cisecurity.benchmarks_rule_5.1.6_Ensure_telnet_server_is_not_enabled Artifact Expression: xccdf_org.cisecurity.benchmarks_ae_5.1.6.1_services.telnet-server, The Center for Internet Security Ubuntu 12.04 LTS Level 2 Benchmark, v1.0.0)
  • This service allows remote users the ability to connect to your computer, without any encryption or security, using a command prompt. This service should be Disabled. (Pg 23, The Center for Internet Security Windows 2000 Benchmark, 2.2.1)
  • This service is installed by default and is used for remote management. The traffic that Telnet sends over the network is not protected or encrypted in any way. This service should be Disabled. (§ 4.1.15, The Center for Internet Security Windows 2000 Professional Benchmark, 2.2.1)
  • This service allows remote users the ability to connect to your computer, without any encryption or security, using a command prompt. This service should be Disabled. (§ 23, The Center for Internet Security Windows 2000 Professional Operating System Level 2 Benchmark, 2.2.1)
  • This service is installed by default and is used for remote management. The traffic that Telnet sends over the network is not protected or encrypted in any way. This service should be Disabled. (§ 4.1.15, The Center for Internet Security Windows 2000 Server Benchmark, 2.2.1)
  • The telnet service is not installed by default. This service allows a remote user to connect to another computer via a command prompt. Authentication is still required, but there is no encryption or security with the connection. This service should be Disabled or removed from the system. The permiss… (Pg 23, The Center for Internet Security Windows NT Benchmark, 1.0.5)
  • Only enable Telnet if absolutely necessary. It also states that if this is a requirement, take the time to look into a Secure Shell (SSH) remote management solution to fulfill your needs in a more secure manner. It is well worth the time and expense. (§ 4.1.20, The Center for Internet Security Windows XP Professional SP1/SP2 Benchmark, 2.01)
  • For a sample of system components, verify that non-console administrative access is encrypted by reviewing services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally. (§ 2.3.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • For a sample of system components, verify that non-console administrative access is encrypted by reviewing services and parameter files on systems to determine that telnet and other remote log-in commands are not available for use internally. (§ 2.3.b, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Review the services and the parameter files on a sample of systems to verify that telnet and other insecure remote login commands are not available for non-console access. (Testing Procedures § 2.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • For a sample of system components, verify that non-console administrative access is encrypted by reviewing services and parameter files on systems to determine that Telnet and other remote log-in commands are not available for use internally. (§ 2.3.b Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.1)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.2)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.1)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.2)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3 (b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (2.3(b), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (PCI DSS Question 2.3(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (PCI DSS Question 2.3(b), PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (PCI DSS Question 2.3(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (PCI DSS Question 2.3(b), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (PCI DSS Question 2.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are system services and parameter files configured to prevent the use of Telnet and other insecure remote login commands? (PCI DSS Question 2.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Table F-1: For Windows 2000 Server, the organization must configure the permissions for telnet to Administrators: Full Control; System: Read; and System: Start, Stop, and Pause. For Windows 2003 Server, the organization must configure the permissions for telnet (TlntSvr) to Administrators: Full Cont… (Table F-1, Table F-2, Table F-3, Table F-4, Table F-6, CMS Business Partners Systems Security Manual, Rev. 10)
  • If telnet is not required, the service should be disable, deleted, or turned off. If the service is not deleted, patches should still be installed when available. (§ 8.3, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The use of telnet is not recommended since it passes information over the network in clear text. If the telnet service is not required, it should be deleted or disabled. If it is disabled, all appropriate security patches should still be installed when they are released. The system administrator sho… (§ 4.8, Defense Information Systems Agency UNIX Security Technical Implementation Guide Version 5 Release 1, Version 5, Release 1)
  • The Telnet service should be disabled. The service should be documented if enabling it is required. (§ 5.2.2.1, DISA Windows Server 2003 Security Checklist, Version 6 Release 1.11)
  • The Telnet service should be Disabled, unless absolutely necessary. If it is Enabled, there should be a documented and justified reason. (§ 5.2.2.1, DISA Windows XP Security Checklist, Version 6 Release 1.11)
  • Is telnet used for maintaining the router, if the router is maintained by a third party? (IT - Routers Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • telnet service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #14 (CCE-5872-7, Common Configuration Enumeration List, Combined XML: AIX 5.3, 5.20130214)
  • telnet service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #14 (CCE-6075-6, Common Configuration Enumeration List, Combined XML: HP-UX 11.23, 5.20130214)
  • telnet service should be enabled or disabled as appropriate Technical Mechanisms: via xinetd Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #14 (CCE-6204-2, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 4, 5.20130214)
  • The telnet service should be enabled or disabled as appropriate. Technical Mechanisms: via chkconfig Parameters: enabled / disabled References: Section: 3.2.2, Value: disabled CCE-U-104 (CCE-3390-2, Common Configuration Enumeration List, Combined XML: Red Hat Enterprise Linux 5, 5.20130214)
  • The telnet service should be enabled or disabled as appropriate. Technical Mechanisms: via svcadm Parameters: enabled / disabled / offline References: Section: 2.4.4,Value:disabled CCE-U-104 (CCE-4615-1, Common Configuration Enumeration List, Combined XML: Sun Solaris 10, 5.20130214)
  • telnet service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #14 (CCE-6634-0, Common Configuration Enumeration List, Combined XML: Sun Solaris 8, 5.20130214)
  • telnet service should be enabled or disabled as appropriate Technical Mechanisms: via inetd via inetd.conf Parameters: enabled/disabled References: 10.8.10.5.4.1 (11) #14 (CCE-7005-2, Common Configuration Enumeration List, Combined XML: Sun Solaris 9, 5.20130214)
  • For all Windows XP environments, this service should be Disabled. (§ 6.5, Guidance for Securing Microsoft Windows XP Systems for IT Professionals, NIST SP 800-68, Revision 1)
  • This service provides ASCII terminal sessions and supports two forms of authentication and four terminal types. The Telnet service should be Disabled. (Pg 70, NSA Guide to Security Microsoft Windows XP)
  • Only enable telnet if absolutely necessary. Telnet uses an unencrypted network protocol, which means data from the login session (such as passwords and all other data transmitted during the session) can be stolen by eavesdroppers on the network, and also that the session can be hijacked by outsiders… (App C § 2.2, NSA Guide to the Secure Configuration of Solaris 9, Version 1.0)