Let’s be honest: Gaming
at the office isn’t in any best practices guide. Don’t get me wrong, I’m
not against gaming—it just doesn’t belong on the office network.

This isn’t a popular attitude to take, but it’s a smart one.
Corporate machines and their bandwidth are for business activities—not amusement.
Not only does gaming pose a productivity problem, but it can also jeopardize
network security.

If your users are gaming at the office, I recommend
revisiting your corporate policy immediately. Let’s look at four steps you can take
to regain control of your network from gamers.

Put it in writing

Inform users that it’s against company policy to install unapproved
software applications on company computers. This covers a wide field that includes
games, bootleg copies of office programs, unapproved utilities, and a wide
assortment of potential malware that has no business function.

If, in fact, you don’t have a policy that addresses this
matter, I recommend taking immediate steps to create one. Instituting a written policy that
addresses Internet usage is a security best practice for many reasons.

In addition, publish a list of approved software for which the
company owns licenses. Your policy should also detail the process for adding
software to the approved list and outline penalties for noncompliance.

Putting all of this in writing covers you from a legal
perspective for the actions you’ll need to take to actually deter users from
turning their office machine into a gaming platform.

Lock down the Program Files folder

By default, most games install in the Program Files
directory. Therefore, to further discourage gaming, users shouldn’t have the
rights to create or modify files in this directory.

Verify that your users have only user rights and that they aren’t
power users or administrators on their machines. To do so, follow these steps:

  1. Right-click
    My Computer, and select Manage.
  2. In the
    left-hand pane, expand Local Users And Groups.
  3. Select
    Groups, and double-click Users in the right-hand pane.

Verify that your Domain Users group (or the domain group
that your users belong to) is a member of this group. Check the other groups,
specifically the Administrators group, and verify that no normal user accounts
are in this group. Check the Power Users group for invalid entries as well.

Now that you’ve ensured users have only user rights to
common file objects, follow these steps:

  1. Double-click
    My Computer, and double-click Local Disk (C:).
  2. Right-click
    Program Files, and select Properties.
  3. On the
    Security tab, select Users from the Group Or User Names list box, and
    verify these permissions: Read & Execute, List Folder Contents, and
    Read.
  4. Verify
    that no invalid entries exist for the security properties of this folder.

Users will no longer be able to install software that
defaults to this location. If they want to install games, users must now
consciously select an alternate location to install the game.

Take advantage of Group Policy’s Software Restriction Policies

Within the Local Security Settings and the Group Policy
Settings, you’ll find the often-overlooked Software Restriction Policies folder.
As the name implies, a software restriction policy controls what software a
user can and cannot run.

This is actually a group policy element that you can apply
either to the domain controller (and users inherit the policy), or you can
apply it directly to a workstation running Windows XP or Windows 2000. To
change the Software Restriction Policy locally, follow these steps:

  1. Log onto
    the machine as Administrator.
  2. Click
    Start | Control Panel | Administrative Tools.
  3. Double-click
    Local Security Policy.
  4. Under
    Security Settings, expand Software Restriction Policies.

You’ll find two containers under Software Restriction
Policies: Security Levels and Additional Rules. The Security Levels container
displays the two levels you can apply via policy rule, which are Unrestricted
and Disallowed. The default is Unrestricted.

You can use the Additional Rules container to specify the
specific software to allow or disallow; you can specify this by path,
certificate, hash, or Internet zone. For example, if a popular game or
unauthorized application has an executable called Hacker.exe, you can create a
rule that disallows applications regardless of the installation path by using
wildcards to denote the path.

Note: This is a
powerful tool, so use appropriate caution. You can inadvertently lock out users
from necessary applications.

Create a network policy

Perhaps the trickiest of all solutions, a network policy is
useful for blocking the most common games on your network. At the network
boundary going toward the Internet, you should only allow users to access
specific ports. (The firewall or the router’s access control list normally
handle this type of thing.)

Typically, users only need outbound access to Web traffic (i.e.,
TCP ports 80 and 443). Exceptions can grow from that initial starting point,
such as FTP access or IMAP and POP for external e-mail servers.

By only allowing users to exit your network via specific
ports, you’re also blocking the ports that most online games require to
operate.

Final thoughts

A company’s network should only support those applications
that are necessary for the business to operate. Allowing anything else opens
the door to all sorts of potential security threats. To better protect your
organization’s network, make sure users game at home and leave work at the
office.

Miss a column?

Check out the Security Solutions Archive,
and catch up on the most recent editions of Mike Mullins’ column.

Worried about security issues? Who isn’t? Automatically
sign up for our free Security Solutions newsletter, delivered each Friday,
and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant
network administrator and a network security administrator for the U.S. Secret
Service and the Defense Information Systems Agency. He is currently the
director of operations for the Southern Theater Network Operations and Security
Center.