ZDNet UK

CBS INTERACTIVE UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

You are here: ZDNet.co.uk > News > IT Management

Network management Toolkit

Killing off gaming on your network

Michael Mullins CNET News.com

Published: 04 Aug 2005 16:00 BST

Take advantage of Group Policy's Software Restriction Policies
Within the Local Security Settings and the Group Policy Settings, you'll find the often-overlooked Software Restriction Policies folder. As the name implies, a software restriction policy controls what software a user can and cannot run.

This is actually a group policy element that you can apply either to the domain controller (and users inherit the policy), or you can apply it directly to a workstation running Windows XP or Windows 2000. To change the Software Restriction Policy locally, follow these steps:

Log onto the machine as Administrator.
Click Start | Control Panel | Administrative Tools.
Double-click Local Security Policy.
Under Security Settings, expand Software Restriction Policies.

You'll find two containers under Software Restriction Policies: Security Levels and Additional Rules. The Security Levels container displays the two levels you can apply via policy rule, which are Unrestricted and Disallowed. The default is Unrestricted.

You can use the Additional Rules container to specify the specific software to allow or disallow; you can specify this by path, certificate, hash, or Internet zone. For example, if a popular game or unauthorised application has an executable called Hacker.exe, you can create a rule that disallows applications regardless of the installation path by using wildcards to denote the path.

Note: This is a powerful tool, so use appropriate caution. You can inadvertently lock out users from necessary applications.

Create a network policy
Perhaps the trickiest of all solutions, a network policy is useful for blocking the most common games on your network. At the network boundary going toward the Internet, you should only allow users to access specific ports. (The firewall or the router's access control list normally handle this type of thing.)

Typically, users only need outbound access to Web traffic (i.e., TCP ports 80 and 443). Exceptions can grow from that initial starting point, such as FTP access or IMAP and POP for external email servers.

By only allowing users to exit your network via specific ports, you're also blocking the ports that most online games require to operate.

Final thoughts
A company's network should only support those applications that are necessary for the business to operate. Allowing anything else opens the door to all sorts of potential security threats. To better protect your organisation's network, make sure users game at home and leave work at the office.

Mike Mullins has served as an assistant network administrator and a network security administrator for the US Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.