Telnet available with no login

Risk Level: High risk vulnerability  High

Check or Attack Name: TelnetOpen
Platforms: Any
Description:

Users can Telnet to this machine without a login. An attacker can access sensitive information through default accounts or easily guessed passwords.
Remedy:

Disable the Telnet account or change the password to something difficult to guess.

Unix: Disable login access to this Unix account if it is not needed.

To remove login access for a Unix account, follow these steps:

  1. Edit the /etc/passwd file.
  2. Locate the account.
  3. Place an * (asterisk) in the password field.
  4. Place the string /bin/false in the shell field. An example of the /etc/passwd entry for a disabled Guest account should resemble the following: guest:*:2311:50:Guest User:/home/guest:/bin/false
  5. Save and exit the file.

Windows: Change the password on this account to something difficult to guess, or disable login access to this Windows account.

To change a password on a Windows account, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
  2. Double-click the account to display the User Properties dialog box.
  3. In the Password field, type a new password.
  4. In the Confirm Password field, confirm the new password.
  5. Click OK.

—OR—

To disable login access to a Windows account, follow these steps:

  1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager
  2. Double-click the account to display the User Properties dialog box.
  3. Select the Account Disabled check box.
  4. Click OK.
References:
X-Force Logo
Know Your Risks