Gaming in a Secure Environment
At a Glance:
- Writing to protected folders and registry keys
- Copy protection failures
- Firewall issues
- Problems with enterprise clients
By day, I work as a Security Program Manager at Microsoft. I also write about security quite often for TechNet Magazine. Needless to say, I take security very seriously. But I have other interests
too. In my spare time, I love to play Windows®-based games. I'm especially fond of first-person shooters, simulators, role-playing, and real-time strategy games. There's a catch, though. Like my friends Jesper Johansson and Aaron Margosis, I refuse to run with administrative privilege except when absolutely necessary. I do this partly to make sure that I only get 0wn3d in a network game due to my lack of skills and not as a result of someone bombing me with a rootkit to slow my aiming (see the Quake 3 Buffer Overflow Advisory listed in the "Resources" sidebar).
I'm so passionate about this that I often can't play a hot new title (see Figure 1). If I can't get the game to run under my Limited User Account (LUA) on a Small Business Server (SBS) domain-joined client after installing and updating it under an administrator account, I promptly remove it. There's no excuse for such poor engineering, and I'm not lacking games to choose from. I admit this might sound like an extreme position to take, but I'm adamant about this point. Still, I'm not against working around a few minor foibles for the sake of some quality gaming time, and that is what I'll be discussing here. So allow me to share some of the game-related problems I've encountered, and the solutions I've found to work. For a quick summary of best practices, take a look at the sidebar "Tips for Gaming as a Limited User".
Figure 1 File Access Problem when Performing a Manual Update (Click the image for a larger view)
This privilege problem is nothing new. There are numerous games, and other types of programs, that require administrative privilege to run properly. Take a look at Knowledge Base article "Certain Programs Do Not Work Correctly if You Log On Using a Limited User Account" (see support.microsoft.com/kb/307091). It lists nearly 200 games and applications that have difficulty when run by a limited user, including a few programs from Microsoft.
I want to be clear that I do not consider requiring administrative privilege to install or (manually) update a game to be a problem. This is generally required until we have the ability to do routine per-user installations on Windows. That day is coming soon, but we're not quite there yet. However, once a game is installed and updated it ought to be ready to play by any user on a system, even one with just limited privilege.
Trying to Write to Protected Folders and Registry Keys The single most common problem I've seen is when a game fails at launch or during play because it attempts to write to protected folders or registry keys (common in many Windows-based applications). By default, only administrators (and the deprecated Power Users) can write to certain folders (such as %PROGRAMFILES%) and registry hives (like HKEY_LOCAL_MACHINE). The errors from this may be relatively obvious: "Error 42: Can't write log files to C:\Program Files\CoolGamesInc\NewestFPS\Logs\" or "Game not installed properly, reinstall and restart." I've also seen examples in mid-game, such as error messages that appear when I save my progress. Sometimes the game writers at least alert the user that the game currently needs administrative privilege to function, which is what I experienced with Age of Mythology®. Massively multiplayer online games (MMOGs) often bump into problems with privilege since they frequently update themselves and the self-updating angle is a bit trickier to solve technologically. When I ran through the EVE Online trial, I noticed it suffered not only from placing log files in inappropriate locations, but also from trying to self-update game content data to the install folder.
Copy Protection Fails The second most common reason I've seen for games failing to launch is when the game's built-in copy protection (or other anti-piracy feature) doesn't work as a limited user. It could be that the driver didn't start properly or some background service isn't running. The most common representation I've seen for this problem is the game asking the user to insert a disk—even when the required media is already in the drive. I've also seen games claim administrator privileges are necessary on the misbegotten belief that only administrators can properly run the copy protection check. The worst cases give some ill-formed, nonsensical error message that has no reference on the game's support site.
Failure to Request a Firewall Exception Multiplayer games that can be played over a local network or the Internet are very common, and Windows XP Service Pack 2 (SP2) added a warning message that tells the user when applications are attempting to listen on the network. This brings me to the next common problem I've observed: games that need a firewall exception but don't ask to add this exception at setup time. Since limited users can't alter the firewall configuration, this warning (see Figure 2) can't be remedied without some configuration work done by an administrator. Worse yet, sometimes the problem isn't obvious, since the warning appears in the Windows shell, not within the game's interface. In fact, I typically don't even see the error message until after I've exited the game.
Figure 2 When Firewall Settings Stop all the Fun (Click the image for a larger view)
Problems with Enterprise Clients I've found another problem not directly related to running as a limited user, but it's worth discussing nonetheless. I run my home computing environment like a small enterprise (I won't go into too much detail here, but you can read about it in the article "Master Your Domain: Build a Corporate Network at Home" that Jesper Johansson and I wrote for the October 2006 issue of TechNet Magazine. Using SBS 2003 (R2), I have set up a complete Windows domain with a My Documents folder that is redirected to a server share. This is how I discovered the last most common problem I'll discuss: games that can't handle enterprise clients.
I noticed a double whammy with Age of Empires® III (AoE3). To the development team's credit, the game starts and plays properly as a limited user. However, I noticed that scenarios loaded slowly due to lots of logging data being written over the network. Additionally, AoE3 lost my configuration, saved games, and progress whenever I exited the game. The files were clearly there in the My Documents folder, but the game just wouldn't load them. This was a real disappointment, especially considering how much more LUA-friendly AoE3 had become compared to earlier titles in the series.
I have seen one game that at least acknowledges such enterprise client issues. When I tried Fable®: The Lost Chapters™, the game was considerate enough to tell me that remote My Documents folders are unsupported, and then it gracefully exited. I commend the development team for recognizing an unsupported scenario and ruling it out. However, it seemed a bit odd that the game would go out of its way to stop the user, given that the game wanted to place only a few megabytes of data in the My Documents folder.
I've seen these problems over and over, on more games than I can recall. Fortunately, most have convenient workarounds. My favorite fix is to drop the game altogether, switching to a LUA-ready title in the same genre by a different publisher. Again, that might sound a bit extreme. And it's not a great solution when I've just spent 60 dollars on a new title and I can't return it because the box is already opened. So let's look at ways to fix the games I already own.Tips for Gaming as a Limited User
- Upgrade to Windows Vista.
- Try the demo before you buy. This will most likely present any LUA problems the full version has.
- Check out the list of programs known to have problems running under a LUA ().
- Look for games that carry the Designed for Windows logo.
- Update the game after installation and before running it as a limited user.
- When you find a game that doesn’t work as a limited user, express your concerns to the publisher and to the company’s tech support service.
- If you must, use a system local power user account.
Fixing Copy Protection Issues First, let's tackle the copy protection driver issue. Copy protection systems are here to stay, but that doesn't mean they should prevent nonadministrators from running games! Most games use Macrovision's SafeDisc copy protection mechanism, which installs a driver that checks for an original game disk. By default, the driver is configured to start on demand (a function limited users aren't allowed to do). Microsoft and Macrovision have distributed fixes, but I've found another workaround:
- Open Device Manager using an administrator account.
- Go to the View menu and select Show hidden devices.
- Expand the Non-Plug and Play Drivers node.
- Open the properties for the Security or SecDrv driver (see Figure 3).
- Change the startup type to Automatic.
Figure 3 Allowing Copy Protection to Run Properly (Click the image for a larger view)
Since the driver now starts when the computer boots, it's ready when the user inserts the disk to run the game.
Fixing File System and Registry Access Issues The assumption of unfettered access to any part of the file system or registry is a common problem with many current and legacy programs, not just games. Aaron Margosis's article "Problems of Privilege: Find and Fix LUA Bugs" goes into greater detail about solutions to the various problems that lead to requiring administrator privileges.
Access problems can be a little tricky to track down, but once the requisite set of files, folders, and registry keys are discerned, loosening the access control lists (ACLs) to allow limited users to play the game is pretty straightforward. I've had the most success with the following method:
- Get the latest versions of Filemon and Regmon from microsoft.com/technet/sysinternals.
- Run the tools as an administrator and have them start collecting logs.
- Play the game for a few minutes as an administrator, performing the most common tasks (start a new campaign, save a game, host a network game, and so on).
- Filter the results from Filemon and Regmon to focus on accesses from the game being tested.
- Loosen the ACLs as necessary on the folders and registry keys in question.
- Run the game as a nonadministrator to make sure it now works.
One word of caution on loosening the ACLs: don't open them too broadly (such as Everyone—Full Control) or at too high a level (like HKEY_CLASSES_ROOT). It's also best to avoid changing any permissions on system folders like %SYSTEMROOT% and %PROGRAMFILES% to avoid breaking Windows entirely or leaving the system in an unsecure state.
Another potential work-around is running the game as a system local Power User. This isn't my first choice, but by using an account that is local to that system, the scope of impact is at least limited to a single workstation, should something go wrong. I've found that this fix works for most games that seem to only work properly as an administrator.
As an aside, I find that running a game briefly as an administrator is a handy way to get it self-updated. I typically run the game as an administrator, invoke its update option, and then exit the game and return to my limited user account to actually play. (It's worth mentioning that Windows Vista™ allows for limited users to update apps, assuming the patch is signed by the original publisher.)
Windows Vista also helps games and other applications address file and registry access problems. By default, programs run by limited users have virtualization shims turned on that redirect misguided file and registry accesses to a user-specific cache. I've personally seen games designed in the Windows 9x era, (for example, The Neverhood) that don't run properly on Windows XP (due to permissions issues) work perfectly on Windows Vista with the default shims. I'm looking forward to testing some other problematic games on Windows Vista, but my hunch is that I'll be hard-pressed to find a game Windows Vista can't shim properly.
Fixing Firewall Issues The firewall problem is best solved when first installing the game. However, when the game setup isn't savvy enough to ask about and configure the requisite firewall tweaks, here's a method I've found that works well:
- Log on as an administrator.
- Open the Windows Firewall Control Panel.
- Choose to add a program to the firewall exception list.
- Select the game from the list or browse for the game executable when prompted.
Fixing Issues with Enterprise Clients The problems games encounter on enterprise clients will disappear in time. The number of multi-computer households with broadband is on the rise, and there's a growing community of users running SBS at home. But for now, a solution is still needed.
In my particular case, I found that a system local LUA worked around the redirected My Documents issue. Both Age of Empires III and Fable: The Lost Chapters work just fine as a limited user as long as the My Documents folder isn't redirected to a network folder.Resources
- Quake 3 Buffer Overflow Advisory
- Windows Vista Application Development Requirements for User Account Control Compatibility
- Applying the Principle of Least Privilege to User Accounts on Windows XP
- Aaron Margosis’ LUA Buglight tool
- Standard User Analyzer
- Master Your Own Domain: Build a Corporate Network at Home
- Problems of Privilege: Find and Fix LUA Bugs
- Certain Programs Do Not Work Correctly if You Log On Using a Limited User Account
I highly recommend running as a limited user so you can take advantage of the benefits associated with not running as administrator. It's not always easy to game in an enterprise-connected, least privilege world, but it's far from impossible. Over the years, I've found plenty of games covering each genre that work properly as a limited user. And I've found some fixes that make a number of other titles work. Meanwhile, with the virtualization in Windows Vista, games that were impossible to play as a limited user on Windows XP work once again.
Matt Clapham, a Security Program Manager at Microsoft, is an active participant in the Seattle IT security community and a member of the risk management team on an IT incubation project.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.