During the 15 years that I have been involved in IT, computer games have always presented a special problem. The challenge becomes preventing users from installing or playing games. Computer games aren’t necessarily evil in and of themselves. They just place a tremendous stress on the system resources and network because of the bandwidth that they consume. Games also expose companies to other risks, such as viruses and Trojans, and litigation related to software piracy.
Unfortunately though, there is no magical game detection console that comes with Windows. There isn’t even one single trick that I know of for detecting or preventing games. Instead, you will have to use a variety of techniques. Remember, computer games have evolved a lot over the years and the techniques for detection have had to evolve too. The only foolproof method of detecting games is to use a variety of techniques designed for different types of games.
Where do games come from?
Before you can effectively detect computer games, you need to have a thorough understanding of how they can sneak onto your network. In the olden days, my friends and I simply kept computer games on floppy disks and inserted the floppies whenever we were ready to play a game. Today, nobody really uses this technique anymore. Unless you plan on playing a computer game that was written in 1989, the chances of a game fitting on a floppy disk are slim to none.
Even so, you must still have a plan in place for checking removable media for computer games. Sure, no one is likely to put a game on a floppy, but people do put games onto CD, DVD, and even onto flash RAM.
Removable media isn’t the only way that computer games are accessed though. It is not at all uncommon for users to attempt to install computer games onto a local hard drive or onto a network hard drive.
When you set out to try to detect computer games, another fact that you need to consider is that today, many games are played online. There are two different ways that users tend to play online games. One is to load a copy of a game onto several PCs and play head-to-head across the network. The other way that users play online is to log on to a Web site that hosts multiplayer games. On such sites, there is nothing for the user to load on her PC. The user simply logs on and starts playing.
Be on the lookout for games stored on removable media, installed on a local or network hard drive, and games played online. In the sections below, I will discuss detection and prevention for each of these areas in detail.
I don’t really know of a reliable method of detecting computer games that are stored on removable media. Because of this, your best course of action is prevention rather than detection. I know some systems administrators who like to remove CD-ROM drives and floppy drives from users' systems as a security measure.
Personally, I don’t like taking this approach though because it doesn’t really work. Users can still access removable media based files by plugging an external device, such as a pin drive, into a USB port. In the end, removing floppy and CD-ROM drives only makes life difficult for the technicians who work on the machines.
In my opinion, you are better off restricting floppy drives, CD-ROM drives, and USB ports through security policies. Operating systems such as Windows 2000 and Windows XP give administrators excellent control over what users can and cannot do. I realize that security policies are usually implemented through group policies, and that group policies can be tricky. The good news is that if your users' workstations are running Windows XP, you can prevent removable media access without delving into the world of group policies.
If you log into a workstation as an Administrator, you can use the Device Manager to disable any devices that can be used to access removable media. A normal user account does not have the authority to re-enable these devices. This means that you have effectively locked the users out of removable media devices without ever having to create or edit a group policy.
Hopefully, your users are using Windows XP workstations and the security permissions are set in such a way that the users would not be able to install a game onto the local hard drive even if they wanted to. Users can be sneaky though, and the only way to tell for sure whether or not a game is hidden somewhere on the workstation is to use a software inventory tool to query the machine.
Software inventory tools are designed to take an inventory of all of the software that is installed on the various machines on your network. Using System Management Server or a similar tool to perform a software inventory is a great way of detecting games that have been installed onto workstations. But how do you tell if someone has installed a game to a network drive? No single technique is 100 percent effective. There are, however, several different techniques that you can use.
One thing you can do is to implement disk space quotas. Most new games occupy a massive amount of hard disk space. Therefore, if you set a reasonable disk quota, you might be able to prevent someone from putting a game on a network server.
You can also run a software inventory program against the servers. This technique may or may not yield any results depending on how the program works. Many software inventory programs work by looking through the system’s registry for clues as to what software might be installed. If your software inventory program works in this way, then it won’t usually detect games that were copied to the server because those games weren’t installed directly from the server console.
Here’s the good news though. If a user were to run a game’s installation program on his own machine, but specify a network drive as the installation path, then although the game’s files reside on a network drive, the game is technically installed on the user’s PC. The game is considered to be installed on the user’s PC and not on the network server because the registry entries related to the game are written to the registry on the user’s PC, and not to the server’s registry.
This means that your software inventory program should be able to detect the game when you scan the workstation. The only difference between detecting this type of game and a game that is truly stored locally is that the inventory should point you toward the games' files on the network drive.
Still another way that you can prevent games from being installed on workstations is to implement policies that specifically target games. Windows XP and 2003 support the use of software restriction policies. The technical details of software restriction policies are beyond the scope of this article, but what I can tell you is that a software restriction policy uses one of four different methods to define a file that is not allowed to be on the machine. If a user attempts to access a file that is defined in such a policy, the user’s access to the file is blocked, even if the user would have otherwise had rights to the file.
The bad thing about using software restriction policies to catch games is that you have to manually specify at least one file that belongs to the game that you want to block. Until you actually caught a game on your network, you probably would have no idea which files make up the game, which would prevent you from being able to block it. This is especially true since some of the detection mechanisms work by building a hash of the specified file. This means that you have to have a copy of the actual file that you want to block, not just the name of the file.
As an alternative, there are software companies that make game detection mechanisms. They work similarly to software restriction policies except that the company that makes the software has taken the time to define the games for you. One of the better known products of this type is Workstation PolicyShield from Apreo.
Online games are usually more difficult to detect and to stop than games that run from a hard disk or from removable media. This doesn’t mean that it’s impossible to detect them. As you will recall, I mentioned that there are two basic types of online games: games that are played over your network (sometimes called head-to-head games) and games that are hosted on the Internet.
One of the nice things about head-to-head games is that they are run locally. This means that although they are networked, they are fairly easy to catch using the techniques that I have already discussed. You can take advantage of the fact that such games are played online and use a protocol analyzer to detect them.
Just about all head-to-head games made today communicate across the network using the TCP/IP protocol. As you may know, the TCP/IP protocol is made up of over 65,000 different TCP ports and an equal number of UDP ports. These ports do for data the same thing that having different channels does for television and radio. It allows a variety of tasks to be performed simultaneously with minimal interference. Common tasks are usually performed over a specific port. For example, browsing the Internet is typically done over TCP port 80.
Many head-to-head games also use specific ports. For example, Quake 2 uses TCP or UDP port number 27910. So you can set up a protocol analyzer to monitor the usage of port 27910 and have it alert you if traffic is detected. If packets are detected, you will easily be able to tell who is playing Quake.
Detecting game play is good, but in my opinion, prevention is better. To prevent users from playing Quake 2 in head-to-head modes, all you have to do is prevent traffic from flowing across port number 27910. This is easier than it sounds to pull off. Windows XP has its own built-in firewall. If you enable the firewall, you can prevent traffic from being received through port number 27910.
Blocking this port through the Windows XP firewall will prevent users from playing Quake, but what about other head-to-head games that use different ports? The trick is to find out which games use which ports and block those ports. Arizona University maintains a list of common games and the TCP and UDP ports that they use.
Detecting computer games that are played entirely online is a bit trickier because none of the game’s components are installed on the local machine (aside from the browser cache). The only real way to bust someone who is playing online games is to monitor Internet usage in the same way that you would watch for people surfing for porn. There are dozens of different Internet-monitoring applications that can detect online game play or other inappropriate use of the Internet.