Telnet uses a non-standard port that firewalls commonly block.

Telnet transmits credentials and session data in plaintext.

SSH consumes less bandwidth than Telnet for the same tasks.

SSH does not require user authentication by default.

A valid CRL distribution point

A public root certificate in the server trust store

A server digital certificate signed by a trusted CA

An OCSP stapling service on the firewall

LDAP over TCP 389

LDAPS over TCP 636

LDAP with anonymous bind over TCP 389

Kerberos over UDP 88

Passwords are hashed with weak ciphers.

Passwords are transmitted without encryption.

The server cannot verify a user’s distinguished name.

Anonymous access to all directory objects is enabled.

Change the default community string to “public2”.

Enable SNMPv2c and limit access to port 162.

Disable SNMP entirely and rely on Syslog.

Upgrade to SNMPv3 and enforce user-based authentication with encryption.

SFTP

FTPS implicit TLS

FTPES (explicit TLS)

TFTP with IPSec tunnel

The SMTP server automatically encrypts every session before greeting the client.

The client requests to upgrade the plaintext connection to TLS after the initial HELO/EHLO.

Port 587 is reserved exclusively for SMTP over implicit TLS.

STARTTLS provides end-to-end message encryption that replaces S/MIME.