Get a MacBook Air with Online Courses Now

Intrusion Detection FAQ: Computer Associates RCO Option

Network Browsing

Computer Associates [CA] has several names for its remote control software [Remotely Possible, TNG Remote Control Option and ControlIT.

All of the CA remote control products have the same ability to scan an entire subnet for a host running their software. In the connect to remote screen you can enter the subnet you wish scanned by using either 0 or 255 as the last octet. The software will then provide a list of all hosts available.

fiqure 1

This product does the subnet search by sending a UPD packet to the broadcast address of a subnet and then waiting for a response. By by default the responding hosts send 2 packets back to the originating host. Attached at the end of this document are network traces showing the full details of how this program works. In general the source port appears to vary by host installation however the destination port is always set to 800 in the broadcast packet. In the reply packet the host appears to include its host name. This is not necessarily true. Within the software configuration there is a configuration setting so that you can have a custom host name appear in the network browse window.

To disable sending responses to this network broadcast you will need to modify the Windows Registry. Add the following DWORD value in the appropriate location based on your product based on the table below. After modifying the registry and rebooting the workstation/server it should no longer respond to the network browse requests.

  BrowseResponseTimes = 0

Product Registry Key Location:
RP/32 HKEY_LOCAL_MACHINE/Software/Avalan/RemotelyPossible32/Host
ControlIT HKEY_LOCAL_MACHINE/Software/ComputerAssociates/ControlIT/Host
RCO HKEY_LOCAL_MACHINE/Software/ComputerAssociates/RemoteControlOption/Host


A 30 evaluation copy of this software can be obtained from Computer Associates. Go to the following URL: http://www.cai.com/registration/cd_it_workgroup.htm and fill out the registration form and they will send you a CD with the software.

Software Security

After installing this product it is very important to verify the security settings. The default security settings for this product is to utilize its own proprietary security system which has a default login and password of "default". The default settings also do not have any logging enabled.

If you are running on a Windows workstation which is not a member of a NT domain you will need to use their Proprietary Security. Make sure you change the login id and password to something more secure.

If you are running on a Windows workstation which is a member of a NT domain you should configure the software to use the NT Group/Domain User Security. This will allow you to have the same security settings for this software that you use for logging into the network [this includes items like time restrictions and account intrusion lockouts]

fiqure 2

Software Logging

If you are running Windows 95/98 enable logging to a text file and make sure all options are checked off. If you are running Windows NT Workstation or Server make use of the External Log capability. This will allow you to set the software to log all entries to the NT Event Log. Again make sure all options are checked.

fiqure 3

An additional safety factor can be added in by not running the remote control software at startup on user workstations. In most cases the user of a workstation can always manually start the software when needed.

References:


TNG RCO Help File
http://www.cai.com/products/products_az.htm

http://www.cai.com/products/controlit.htm

http://support.cai.com/techbases/rp/40020.html

Network Traces:


Trace #1
Default broadcast to 255.255.255.255

Network Monitor trace Fri 02/25/00 17:52:16 c:\sans\rp-broadcast1.TXT
**********
Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

1 17:50:1 23LKV59 *BROADCAST UDP IP Multicast:
Src Port: Unknown, (2111); Dst Port: Unknown (800) 23LKV59 255.255.255.255 IP

00000: 10 40 FF FF FF FF FF FF 80 06 29 AA F6 36 82 70 .@........)..6.p
00010: AA AA 03 00 00 00 08 00 45 00 00 38 B3 AC 00 00 ........E..8....
00020: 80 11 63 CB 0A 01 19 3D FF FF FF FF 08 3F 03 20 ..c....=.....?.
00030: 00 24 7F A1 31 00 00 00 D9 27 02 00 52 50 20 31 .$&127;.1....'..RP 1
00040: 30 34 35 30 31 34 44 52 41 36 33 32 42 35 41 36 045014DRA632B5A6

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

2 17:50:1 CHUCK_S16 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 19 ( CHUCK_S16 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 00 83 27 A3 EE AA AA .@..)..6...'....
00010: 03 00 00 00 08 00 45 00 00 27 35 97 00 00 80 11 ......E..'5.....
00020: BE 7D 0A 01 19 73 0A 01 19 3D 03 20 08 3F 00 13 .}...s...=. .?..
00030: 5F 4A 32 43 48 55 43 4B 5F 53 31 36 00 _J2CHUCK_S16.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr
3 17:50:1 0000F68ABA8D 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 18 ( 10.1.25.193 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 00 F6 8A BA 8D AA AA .@..)..6........
00010: 03 00 00 00 08 00 45 00 00 26 9C 4D 00 00 80 11 ......E..&.M....
00020: 57 7A 0A 01 19 C1 0A 01 19 3D 03 20 08 3F 00 12 Wz.......=. .?..
00030: 53 23 32 54 45 53 54 5F 4C 41 42 00 S#2TEST_LAB.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

4 17:50:1 CHUCK_S16 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 19 ( CHUCK_S16 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 00 83 27 A3 EE AA AA .@..)..6...'....
00010: 03 00 00 00 08 00 45 00 00 27 36 97 00 00 80 11 ......E..'6.....
00020: BD 7D 0A 01 19 73 0A 01 19 3D 03 20 08 3F 00 13 .}...s...=. .?..
00030: 5F 4A 32 43 48 55 43 4B 5F 53 31 36 00 _J2CHUCK_S16.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

5 17:50:1 0000F68ABA8D 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 18 ( 10.1.25.193 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 00 F6 8A BA 8D AA AA .@..)..6........
00010: 03 00 00 00 08 00 45 00 00 26 9D 4D 00 00 80 11 ......E..&.M....
00020: 56 7A 0A 01 19 C1 0A 01 19 3D 03 20 08 3F 00 12 Vz.......=. .?..
00030: 53 23 32 54 45 53 54 5F 4C 41 42 00 S#2TEST_LAB.

Trace #2
Scanning another subnet using 255 as the last octet

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

1 1.280 23LKV59 Router2339C4 UDP
Src Port: Unknown, (2111); Dst Port: Unknown (800);
Length = 36 ( 23LKV59 10.1.27.255 IP

00000: 10 40 00 06 3A 23 39 C4 00 06 29 AA F6 36 AA AA .@..:#9...)..6..
00010: 03 00 00 00 08 00 45 00 00 38 EC AC 00 00 80 11 ......E..8......
00020: 04 CB 0A 01 19 3D 0A 01 1B FF 08 3F 03 20 00 24 .....=.....?. .$
00030: 59 A1 31 00 00 00 D9 27 02 00 52 50 20 31 30 34 Y.1....'..RP 104
00040: 35 30 31 34 44 52 41 36 33 32 42 35 41 36 5014DRA632B5A6

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

2 2.226 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 17 ( 10.1.27.180 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 25 45 12 00 00 7F 11 ......E..%E...&127;.
00020: AD C3 0A 01 1B B4 0A 01 19 3D 03 20 08 3F 00 11 .........=. .?..
00030: D0 96 32 42 48 30 30 30 30 41 00 ..2BH0000A.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

3 2.228 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 22 ( 10.1.27.140 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 2A F6 61 00 00 7F 11 ......E..*.a..&127;.
00020: FC 96 0A 01 1B 8C 0A 01 19 3D 03 20 08 3F 00 16 .........=. .?..
00030: B8 AC 32 54 4E 47 5F 53 48 49 50 5F 49 54 31 00 ..2TNG_SHIP_IT1.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

4 2.229 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 21 ( 10.1.27.144 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 29 9D 80 00 00 7F 11 ......E..)....&127;.
00020: 55 75 0A 01 1B 90 0A 01 19 3D 03 20 08 3F 00 15 Uu.......=. .?..
00030: CB D2 32 55 53 44 5F 41 4D 4F 5F 45 4E 54 00 ..2USD_AMO_ENT.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

5 2.233 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 24 ( 10.1.27.145 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 2C 7A F1 00 00 7F 11 ......E..,z...&127;.
00020: 78 00 0A 01 1B 91 0A 01 19 3D 03 20 08 3F 00 18 x........=. .?..
00030: 75 6C 32 50 43 46 43 5F 41 53 49 41 5F 54 50 44 ul2PCFC_ASIA_TPD
00040: 43 00 C.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr
6 2.236 Router2325C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 23 ( 10.12.7.230 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 25 C4 AA AA .@..)..6..:#%...
00010: 03 00 00 00 08 00 45 00 00 2B 78 B3 00 00 7F 11 ......E..+x...&127;.
00020: 8D DF 0A 0C 07 E6 0A 01 19 3D 03 20 08 3F 00 17 .........=. .?..
00030: A3 32 32 43 4F 52 50 4F 52 41 54 45 5F 50 44 43 .22CORPORATE_PDC
00040: 00 .

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr
7 2.270 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 16 ( 10.1.27.131 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 24 30 E9 00 00 7F 11 ......E..$0...&127;.
00020: C2 1E 0A 01 1B 83 0A 01 19 3D 03 20 08 3F 00 10 .........=. .?..
00030: 91 CD 32 44 4F 4D 49 4E 4F 00 ..2DOMINO.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

8 2.661 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 16 ( 10.1.27.131 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 24 35 E9 00 00 7F 11 ......E..$5...&127;.
00020: BD 1E 0A 01 1B 83 0A 01 19 3D 03 20 08 3F 00 10 .........=. .?..
00030: 91 CD 32 44 4F 4D 49 4E 4F 00 ..2DOMINO.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

9 2.914 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 24 ( 10.1.27.145 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 2C 7C F1 00 00 7F 11 ......E..,|...&127;.
00020: 76 00 0A 01 1B 91 0A 01 19 3D 03 20 08 3F 00 18 v........=. .?..
00030: 75 6C 32 50 43 46 43 5F 41 53 49 41 5F 54 50 44 ul2PCFC_ASIA_TPD
00040: 43 00 C.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

10 2.917 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 17 ( 10.1.27.180 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 25 46 12 00 00 7F 11 ......E..%F...&127;.
00020: AC C3 0A 01 1B B4 0A 01 19 3D 03 20 08 3F 00 11 .........=. .?..
00030: D0 96 32 42 48 30 30 30 30 41 00 ..2BH0000A.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr
11 3.228 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 22 ( 10.1.27.140 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 2A F7 61 00 00 7F 11 ......E..*.a..&127;.
00020: FB 96 0A 01 1B 8C 0A 01 19 3D 03 20 08 3F 00 16 .........=. .?..
00030: B8 AC 32 54 4E 47 5F 53 48 49 50 5F 49 54 31 00 ..2TNG_SHIP_IT1.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

12 3.245 Router2339C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 21 ( 10.1.27.144 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 39 C4 AA AA .@..)..6..:#9...
00010: 03 00 00 00 08 00 45 00 00 29 A0 80 00 00 7F 11 ......E..)....&127;.
00020: 52 75 0A 01 1B 90 0A 01 19 3D 03 20 08 3F 00 15 Ru.......=. .?..
00030: CB D2 32 55 53 44 5F 41 4D 4F 5F 45 4E 54 00 ..2USD_AMO_ENT.

**********

Frame Time Src MAC Addr Dst MAC Addr Protocol Description
Src Other Addr Dst Other Addr Type Other Addr

13 3.252 Router2325C4 23LKV59 UDP
Src Port: Unknown, (800); Dst Port: Unknown (2111);
Length = 23 ( 10.12.7.230 23LKV59 IP

00000: 18 40 00 06 29 AA F6 36 00 06 3A 23 25 C4 AA AA .@..)..6..:#%...
00010: 03 00 00 00 08 00 45 00 00 2B 79 B3 00 00 7F 11 ......E..+y...&127;.
00020: 8C DF 0A 0C 07 E6 0A 01 19 3D 03 20 08 3F 00 17 .........=. .?..
00030: A3 32 32 43 4F 52 50 4F 52 41 54 45 5F 50 44 43 .22CORPORATE_PDC
00040: 00 .

**********