Keep gaming off your corporate network with these four steps

by Michael "Mullins CCNA, MCP" | Aug 04, 2005 7:00:00 AM

Tags: Games, Michael Mullins CCNA, MCP, game, Domain Users, Program Files, Security Solutions Newsletter

Takeaway: A company's network should only support those applications that are necessary for the business to operate—and that doesn't typically include gaming. Not only does gaming pose a productivity problem, but it can also jeopardize network security. Always willing to sacrifice popularity in the name of security, Mike Mullins offers four steps you can take to keep gaming off your network.

Let's be honest: Gaming at the office isn't in any best practices guide. Don't get me wrong, I'm not against gaming—it just doesn't belong on the office network.

This isn't a popular attitude to take, but it's a smart one. Corporate machines and their bandwidth are for business activities—not amusement. Not only does gaming pose a productivity problem, but it can also jeopardize network security.

If your users are gaming at the office, I recommend revisiting your corporate policy immediately. Let's look at four steps you can take to regain control of your network from gamers.

Put it in writing

Inform users that it's against company policy to install unapproved software applications on company computers. This covers a wide field that includes games, bootleg copies of office programs, unapproved utilities, and a wide assortment of potential malware that has no business function.

If, in fact, you don't have a policy that addresses this matter, I recommend taking immediate steps to create one. Instituting a written policy that addresses Internet usage is a security best practice for many reasons.

In addition, publish a list of approved software for which the company owns licenses. Your policy should also detail the process for adding software to the approved list and outline penalties for noncompliance.

Putting all of this in writing covers you from a legal perspective for the actions you'll need to take to actually deter users from turning their office machine into a gaming platform.

Lock down the Program Files folder

By default, most games install in the Program Files directory. Therefore, to further discourage gaming, users shouldn't have the rights to create or modify files in this directory.

Verify that your users have only user rights and that they aren't power users or administrators on their machines. To do so, follow these steps:

1. Right-click My Computer, and select Manage.
2. In the left-hand pane, expand Local Users And Groups.
3. Select Groups, and double-click Users in the right-hand pane.

Verify that your Domain Users group (or the domain group that your users belong to) is a member of this group. Check the other groups, specifically the Administrators group, and verify that no normal user accounts are in this group. Check the Power Users group for invalid entries as well.

Now that you've ensured users have only user rights to common file objects, follow these steps:

1. Double-click My Computer, and double-click Local Disk (C:).
2. Right-click Program Files, and select Properties.
3. On the Security tab, select Users from the Group Or User Names list box, and verify these permissions: Read & Execute, List Folder Contents, and Read.
4. Verify that no invalid entries exist for the security properties of this folder.

Users will no longer be able to install software that defaults to this location. If they want to install games, users must now consciously select an alternate location to install the game.

Take advantage of Group Policy's Software Restriction Policies

Within the Local Security Settings and the Group Policy Settings, you'll find the often-overlooked Software Restriction Policies folder. As the name implies, a software restriction policy controls what software a user can and cannot run.

This is actually a group policy element that you can apply either to the domain controller (and users inherit the policy), or you can apply it directly to a workstation running Windows XP or Windows 2000. To change the Software Restriction Policy locally, follow these steps:

1. Log onto the machine as Administrator.
2. Click Start | Control Panel | Administrative Tools.
3. Double-click Local Security Policy.
4. Under Security Settings, expand Software Restriction Policies.

You'll find two containers under Software Restriction Policies: Security Levels and Additional Rules. The Security Levels container displays the two levels you can apply via policy rule, which are Unrestricted and Disallowed. The default is Unrestricted.

You can use the Additional Rules container to specify the specific software to allow or disallow; you can specify this by path, certificate, hash, or Internet zone. For example, if a popular game or unauthorized application has an executable called Hacker.exe, you can create a rule that disallows applications regardless of the installation path by using wildcards to denote the path.

Note: This is a powerful tool, so use appropriate caution. You can inadvertently lock out users from necessary applications.

Create a network policy

Perhaps the trickiest of all solutions, a network policy is useful for blocking the most common games on your network. At the network boundary going toward the Internet, you should only allow users to access specific ports. (The firewall or the router's access control list normally handle this type of thing.)

Typically, users only need outbound access to Web traffic (i.e., TCP ports 80 and 443). Exceptions can grow from that initial starting point, such as FTP access or IMAP and POP for external e-mail servers.

By only allowing users to exit your network via specific ports, you're also blocking the ports that most online games require to operate.

Final thoughts

A company's network should only support those applications that are necessary for the business to operate. Allowing anything else opens the door to all sorts of potential security threats. To better protect your organization's network, make sure users game at home and leave work at the office.

Miss a column?

Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Print/View all Posts Comments on this article

Sounds good but ...oz_ollie  | 08/05/05

Secret Service?Myron_s  | 08/05/05

Your attitude is irresponsiblestress junkie  | 08/05/05

Totally Agreerickk@...  | 08/05/05

No help from Abovenct_buyer  | 08/05/05

I sympathize with thatstress junkie  | 08/05/05

Yes. The hospital managers are in the wrong he...Myron_s  | 08/11/05

Medical security and possibleBad Panda  | 08/11/05

agreedavid  | 08/12/05

Doctors are the worstToo Old For IT  | 08/05/05

exactlyavid  | 08/12/05

Just say HIPAAThrev  | 08/18/05

Also say "put it in writing".gsterner@...  | 09/01/06

company time and equipment is company time and equipment...michael.grello@...  | 08/11/05

Is it a tech responsibility or a supervisory responsibility?BrokenEagle  | 09/01/06

Excellent replyandrew.lawlor@...  | 08/05/05

A person is not a machine that can be worked to...Myron_s  | 08/11/05

Unless they are contract employeesstress junkie  | 08/11/05

A person is not a machine that can be worked to...Myron_s  | 08/11/05

Gaming is not in the Bill of Rightsjm@...  | 08/11/05

Chill out ---JeezBHunsinger  | 08/05/05

I don't agreeD_V Ant  | 08/11/05

stress' postsimplyshaman  | 08/05/05

veins a poppin'stress junkie  | 08/05/05

Absolutely...Vetch_101  | 08/09/05

Managers make me angry.stress junkie  | 08/11/05

Idiotic managers..Myron_s  | 08/11/05

If you are coming in on the weeked on your own dime...Beoweolf  | 08/11/05

Intentions...Vetch_101  | 08/11/05

Not that irresponsible as you think.Myron_s  | 08/11/05

i found the solution to warum02122@...  | 08/11/05

I definitely am paranoid ...stress junkie  | 08/11/05

I agree with stressLuckman876  | 08/11/05

Myron, its time to be a grown up.GB4  | 09/01/06

Oh for Crying Out Loudwlbowers@...  | 08/11/05

I Applaud Mike. Negative Discussion Based On Limited Parochial, Experiancezczc2311@...  | 08/11/05

WHY IT IS HATEDjevans@...  | 09/01/06

Beyond securityrevlarry  | 09/01/06

Mandatory authenticationPeter Choi  | 08/06/05

Spyware and conflictsLCM Man  | 08/11/05

Gaming Worse in Public Sector than Private Sectorjm@...  | 08/11/05

if it works for you great, but do you realize...UncleRob  | 09/01/06

no paranoyamj5410@...  | 05/10/07

not worth it?j-jireh  | 08/05/05

Office SecurityMike Mullins  | 08/05/05

Our own worst enemyStratocaster  | 08/05/05

No games allowed - period.markand@...  | 08/08/05

Management initiative and support are keystress junkie  | 08/08/05

Good point!Cweb  | 08/11/05

On your final paragraph, I agree. I do the sam...Myron_s  | 08/11/05

sieg heil!Cweb  | 08/11/05

Re: No games allowed - perioddavid.cook@...  | 08/11/05

I think you guys are misunderstanding memarkand@...  | 08/11/05

Understandable.Myron_s  | 08/25/05

i think that is not right because people do not...chris grey  | 11/29/05

Off topic ... mea culpastress junkie  | 08/05/05

Re: authors pictureMike Mullins  | 08/05/05

few if any of these suggestions would work in a pure R&D environmentvalis  | 08/12/05

Domain Administrator RequiredRoger  | 08/05/05

Not the way...Vetch_101  | 08/09/05

You're right way off base.djameson@...  | 08/05/05

Re: way off baseMike Mullins  | 08/05/05

Data Security . . .Myron_s  | 08/11/05

removable storagedjameson@...  | 08/11/05

The key first lineOz_Media  | 08/07/05

in one senceJaqui  | 08/08/05

Gotta agree with Oztoreador  | 08/08/05

Think of it the other way round.Melar  | 08/08/05

Maybe if department managers did THEIR jobs and...TonytheTiger  | 08/08/05

Amen, DunlapETHOS21st@...  | 08/11/05

It CAN be DONE!payvatopvincep@...  | 08/11/05

Technical or Political discussion?Martin Glueckmann  | 08/11/05

Does That Include IT?MinJRB  | 08/11/05

Thank goodness for Novell on the backendrestoh@...  | 08/11/05

Is Freecell a Security Risk?mensaguy  | 08/11/05

True, but...Vetch_101  | 08/11/05

Anyone consider BSA?SLSB  | 08/11/05

Business environment means Business!loefvinc  | 08/12/05

Software Restriction Policies are not available on Windows 2000arthg@...  | 09/01/06

Doesnt Always work that way but...jdonald@...  | 08/05/05

RE: Doesnt Always work that way but...damagei@...  | 08/05/05

do it in the registrydjameson@...  | 08/11/05

Yes, it is to disallow mounting of removable me...The Admiral  | 08/05/05

Employee behaviorbarker81152@...  | 08/05/05

Oh please! Give me a break...DancinKatieh@...  | 08/05/05

Grammar & spellingNI70  | 08/05/05

YupMostExcellent  | 08/08/05

the longest sentence ever........jd_russell2003@...  | 08/05/05

Grammar & Spelling, Part DeuxStratocaster  | 08/11/05

Agree on writing.RockyMtnMan  | 08/11/05

Doesn't apply to "golden child"gralfus  | 08/05/05

welcome to my world.thompsonwj@...  | 08/05/05

Work is work...setantapc@...  | 08/07/05

Exactly on targetstress junkie  | 08/07/05

I wouldn't give your company 6 months up hereOz_Media  | 08/07/05

One problem with this posttoreador  | 08/08/05

ExactlyOz_Media  | 08/08/05

Once upon a time in the land of Oz...hejcb  | 08/11/05

"Hi - I'm not at work right now." I'm no...david.cook@...  | 08/11/05

respect the golden childvalis  | 08/09/05

Or...Isolate his server, so his "crap" wouldn't affect the network.Beoweolf  | 08/11/05

exactlyvalis  | 08/12/05

simple solution..one step.....Jaqui  | 08/07/05

$HOME/binstress junkie  | 08/07/05

but mostJaqui  | 08/08/05

Gotta love a quick game of Enemy Territory jmgarvin  | 08/08/05

Keeps productivity apps away, toogarnerl  | 08/11/05

If you are so foolish that you don't think the ...jmschattke@...  | 08/11/05

Gaming still has its placeEl_Gazzítò  | 08/08/05

completely in agreementantonio.castellon@...  | 08/11/05

Games can have business-related rolessimon_mackay@...  | 08/11/05

Stress reliefMyron_s  | 08/11/05

Another role: helping project managers to see status of a personastr@...  | 08/12/05

It's not just security to be worried aboutKdoyle  | 08/08/05

Now you're just complicating things. stress junkie  | 08/08/05

LicensingMyron_s  | 08/11/05

It's not their personal equipmentKdoyle  | 08/11/05

Jesusronny.baeb@...  | 08/11/05

And when you tick off the person, that's when y...Myron_s  | 08/11/05

I agree with some of your points...but expand the scopeBeoweolf  | 08/11/05

There IS a reasonrouschkateer@...  | 08/11/05

Meybe I'm being misunderstood. I don't run a t...Myron_s  | 08/11/05

My, what attitudes!edignan@...  | 08/11/05

So....Vetch_101  | 08/11/05

Need a life or need a work ethic...edignan@...  | 08/12/05

On the flipside...dark_15  | 08/31/05

Wow.erich_tucker@...  | 08/11/05

Some People Paid to Think!!!jm@...  | 08/11/05

Good pointstress junkie  | 08/11/05

job training?Jaqui  | 08/12/05

I said it. I meant it. stress junkie  | 08/12/05

if they did,Jaqui  | 08/12/05

C'mon nowerich_tucker@...  | 08/11/05

Still amazes me, IT Sec Policydennis_london@...  | 08/11/05

Yes Yes Yesstress junkie  | 08/11/05

I dont have enough free time. I am busy workingzczc2311@...  | 08/11/05

Ouch!stress junkie  | 08/12/05

I accept you participate in your own time.zczc2311@...  | 08/13/05

gaming kills....Jaqui  | 08/12/05

and that isn'tJaqui  | 08/12/05

My problem is....Willy MacWindows  | 08/13/05

don'tJaqui  | 08/14/05

this is what i dosomebozo  | 08/14/05

You have a very mature handle on things…zczc2311@...  | 08/15/05

bad informationfklimczak@...  | 08/18/05

Not usable for legacy applicationsAndeAnderson  | 08/18/05