During the 15 years that I have been involved in IT,
computer games have always presented a special problem. The challenge becomes
preventing users from installing or playing games. Computer games aren’t
necessarily evil in and of themselves. They just place a tremendous stress on the
system resources and network because of the bandwidth that they consume. Games
also expose companies to other risks, such as viruses and Trojans, and
litigation related to software piracy.

Unfortunately though, there is no magical game detection
console that comes with Windows. There isn’t even one single trick that I know
of for detecting or preventing games. Instead, you will have to use a variety
of techniques. Remember, computer games have evolved a lot over the years and the
techniques for detection have had to evolve too. The only foolproof method of
detecting games is to use a variety of techniques designed for different types
of games.

Where do games come from?

Before you can effectively detect computer games, you need to
have a thorough understanding of how they can sneak onto your network. In the
olden days, my friends and I simply kept computer games on floppy disks and
inserted the floppies whenever we were ready to play a game. Today, nobody
really uses this technique anymore. Unless you plan on playing a computer game that was
written in 1989
, the chances of a game fitting on a floppy disk are slim to
none.

Even so, you must still have a plan in place for checking
removable media for computer games. Sure, no one is likely to put a game on a
floppy, but people do put games onto CD, DVD, and even onto flash RAM.

Removable media isn’t the only way that computer games are
accessed though. It is not at all uncommon for users to attempt to install
computer games onto a local hard drive or onto a network hard drive.

When you set out to try to detect computer games, another
fact that you need to consider is that today, many games are played online.
There are two different ways that users tend to play online games. One is to
load a copy of a game onto several PCs and play head-to-head across the
network. The other way that users play online is to log on to a Web site that
hosts multiplayer games. On such sites, there is nothing for the user to load
on her PC. The user simply logs on and starts playing.

Be on the lookout for games stored on removable media,
installed on a local or network hard drive, and games played online. In the
sections below, I will discuss detection and prevention for each of these areas
in detail.

Removable media

I don’t really know of a reliable method of detecting
computer games that are stored on removable media. Because of this, your best
course of action is prevention rather than detection. I know some systems
administrators who like to remove CD-ROM drives and floppy drives from users’
systems as a security measure.

Personally, I don’t like taking this approach though because
it doesn’t really work. Users can still access removable media based files by
plugging an external device, such as a pin drive, into a USB port. In the end,
removing floppy and CD-ROM drives only makes life difficult for the technicians
who work on the machines.

In my opinion, you are better off restricting floppy drives,
CD-ROM drives, and USB ports through security policies. Operating systems such
as Windows 2000 and Windows XP give administrators excellent control over what
users can and cannot do. I realize that security policies are usually
implemented through group policies, and that group policies can be tricky. The
good news is that if your users’ workstations are running Windows XP, you can
prevent removable media access without delving into the world of group
policies.

If you log into a workstation as an Administrator, you can
use the Device Manager to disable any devices that can be used to access
removable media. A normal user account does not have the authority to re-enable
these devices. This means that you have effectively locked the users out of
removable media devices without ever having to create or edit a group policy.

Installed games

Hopefully, your users are using Windows XP workstations and
the security permissions are set in such a way that the users would not be able
to install a game onto the local hard drive even if they wanted to. Users can
be sneaky though, and the only way to tell for sure whether or not a game is
hidden somewhere on the workstation is to use a software inventory tool to
query the machine.

Software inventory tools are designed to take an inventory
of all of the software that is installed on the various machines on your
network. Using System Management Server or a similar tool to perform a software
inventory is a great way of detecting games that have been installed onto workstations.
But how do you tell if someone has installed a game to a network drive? No single
technique is 100 percent effective. There are, however, several different
techniques that you can use.

One thing you can do is to implement disk space quotas. Most
new games occupy a massive amount of hard disk space. Therefore, if you set a
reasonable disk quota, you might be able to prevent someone from putting a game
on a network server.

You can also run a software inventory program against the
servers. This technique may or may not yield any results depending on how the
program works. Many software inventory programs work by looking through the
system’s registry for clues as to what software might be installed. If your
software inventory program works in this way, then it won’t usually detect
games that were copied to the server because those games weren’t installed
directly from the server console.

Here’s the good news though. If a user were to run a game’s
installation program on his own machine, but specify a network drive as the
installation path, then although the game’s files reside on a network drive,
the game is technically installed on the user’s PC. The game is considered to
be installed on the user’s PC and not on the network server because the registry
entries related to the game are written to the registry on the user’s PC, and
not to the server’s registry.

This means that your software inventory program should be
able to detect the game when you scan the workstation. The only difference
between detecting this type of game and a game that is truly stored locally is
that the inventory should point you toward the games’ files on the network
drive.

Still another way that you can prevent games from being
installed on workstations is to implement policies that specifically target
games. Windows XP and 2003 support the use of software restriction policies.
The technical details of software restriction policies are beyond the scope of
this article, but what I can tell you is that a software restriction policy
uses one of four different methods to define a file that is not allowed to be
on the machine. If a user attempts to access a file that is defined in such a
policy, the user’s access to the file is blocked, even if the user would have
otherwise had rights to the file.

The bad thing about using software restriction policies to
catch games is that you have to manually specify at least one file that belongs
to the game that you want to block. Until you actually caught a game on your
network, you probably would have no idea which files make up the game, which
would prevent you from being able to block it. This is especially true since
some of the detection mechanisms work by building a hash of the specified file.
This means that you have to have a copy of the actual file that you want to
block, not just the name of the file.

As an alternative, there are software companies that make
game detection mechanisms. They work similarly to software restriction policies
except that the company that makes the software has taken the time to define
the games for you. One of the better known products of this type is Workstation
PolicyShield from Apreo.

Online games

Online games are usually more difficult to detect and to
stop than games that run from a hard disk or from removable media. This doesn’t
mean that it’s impossible to detect them. As you will recall, I mentioned that
there are two basic types of online games: games that are played over your
network (sometimes called head-to-head games) and games that are hosted on the
Internet.

One of the nice things about head-to-head games is that they
are run locally. This means that although they are networked, they are fairly
easy to catch using the techniques that I have already discussed. You can take
advantage of the fact that such games are played online and use a protocol
analyzer to detect them.

Just about all head-to-head games made today communicate
across the network using the TCP/IP protocol. As you may know, the TCP/IP
protocol is made up of over 65,000 different TCP ports and an equal number of
UDP ports. These ports do for data the same thing that having different
channels does for television and radio. It allows a variety of tasks to be
performed simultaneously with minimal interference. Common tasks are usually
performed over a specific port. For example, browsing the Internet is typically
done over TCP port 80.

Many head-to-head games also use specific ports. For
example, Quake 2 uses TCP or UDP port number 27910. So you can set up a
protocol analyzer to monitor the usage of port 27910 and have it alert you if
traffic is detected. If packets are detected, you will easily be able to tell
who is playing Quake.

Detecting game play is good, but in my opinion, prevention
is better. To prevent users from playing Quake 2 in head-to-head modes, all you
have to do is prevent traffic from flowing across port number 27910. This is
easier than it sounds to pull off. Windows XP has its own built-in firewall. If
you enable the firewall, you can prevent traffic from being received through
port number 27910.

Blocking this port through the Windows XP firewall will
prevent users from playing Quake, but what about other head-to-head games that
use different ports? The trick is to find out which games use which ports and
block those ports. Arizona University maintains a list of common games
and the TCP and UDP ports that they use.

Detecting computer games that are played entirely online is
a bit trickier because none of the game’s components are installed on the local
machine (aside from the browser cache). The only real way to bust someone who
is playing online games is to monitor Internet usage in the same way that you
would watch for people surfing for porn. There are dozens of different
Internet-monitoring applications that can detect online game play or other
inappropriate use of the Internet.