Computer Associates [CA] has several names for its remote control software [Remotely Possible, TNG Remote Control Option and ControlIT.
All of the CA remote control products have the same ability to scan an entire subnet for a host running their software. In the connect to remote screen you can enter the subnet you wish scanned by using either 0 or 255 as the last octet. The software will then provide a list of all hosts available.
This product does the subnet search by sending a UPD packet to the broadcast address of a subnet and then waiting for a response. By by default the responding hosts send 2 packets back to the originating host. Attached at the end of this document are network traces showing the full details of how this program works. In general the source port appears to vary by host installation however the destination port is always set to 800 in the broadcast packet. In the reply packet the host appears to include its host name. This is not necessarily true. Within the software configuration there is a configuration setting so that you can have a custom host name appear in the network browse window.
To disable sending responses to this network broadcast you will need to modify the Windows Registry. Add the following DWORD value in the appropriate location based on your product based on the table below. After modifying the registry and rebooting the workstation/server it should no longer respond to the network browse requests.
BrowseResponseTimes = 0
A 30 evaluation copy of this software can be obtained from Computer Associates. Go to the following URL: http://www.cai.com/registration/cd_it_workgroup.htm and fill out the registration form and they will send you a CD with the software.
After installing this product it is very important to verify the security settings. The default security settings for this product is to utilize its own proprietary security system which has a default login and password of "default". The default settings also do not have any logging enabled.
If you are running on a Windows workstation which is not a member of a NT domain you will need to use their Proprietary Security. Make sure you change the login id and password to something more secure.
If you are running on a Windows workstation which is a member of a NT domain you should configure the software to use the NT Group/Domain User Security. This will allow you to have the same security settings for this software that you use for logging into the network [this includes items like time restrictions and account intrusion lockouts]
If you are running Windows 95/98 enable logging to a text file and make sure all options are checked off. If you are running Windows NT Workstation or Server make use of the External Log capability. This will allow you to set the software to log all entries to the NT Event Log. Again make sure all options are checked.
An additional safety factor can be added in by not running the remote control software at startup on user workstations. In most cases the user of a workstation can always manually start the software when needed.
TNG RCO Help File
Default broadcast to 255.255.255.255
Network Monitor trace Fri 02/25/00 17:52:16 c:\sans\rp-broadcast1.TXT
Scanning another subnet using 255 as the last octet