JACK WHITHAM PhD MEng Professional Activities - Publications - Software - Articles
		Home -> Articles -> How to harden the security of Source Engine games on Steam

Introduction

Most Steam games are hosted on third-party servers. Games including Counter-strike Source and Team Fortress 2 are sufficiently popular that Valve can rely on the players to set up and run the servers that host them. A certain amount of customisation is possible, and many server administrators install "plugins" to add features such as voting and modify game rules. But administrators are not limited to changing the game itself. They can also cause web pages to open within the game.

What's the problem?

A web page opens when a player connects to a server: this page usually has information about the server. It appears in a mini browser window which is actually Internet Explorer, "embedded" in the game. This mini browser shares every security hole that might exist in Internet Explorer, which has a notoriously poor security record as an Internet search will tell you. Just as a malicious website or ad banner could install malware on your computer, a malicious game server could do the same. This would be a great way to steal Steam usernames and passwords.

Server administrators can also send commands to open a web page on your machine as you play. For example, Mani's Admin Plugin for Counter-strike Source provides the "ma_browse" command. Using "ma_browse", a server administrator can cause any webpage to open on any player's computer, using Internet Explorer. It makes no difference if you usually use another browser, such as Firefox: Internet Explorer is always used.

What can I do?

My suggested solution to this problem is to block Internet Explorer from accessing the Internet. (Warning -- there is a caveat below which you should read before you try this.) Unfortunately a complete block will break the Steam application and also prevent custom map downloads. You need an incomplete block, so that only a short "whitelist" of trusted sites can be displayed. In particular, you will want your whitelist to include the following:

• *.steampowered.com
• *.steamcommunity.com
• Every file ending in .bz2

There are probably many ways to implement the whitelist, but I recommend the following:

• Install Privoxy (Download page). This is used as a filter for connections to web pages.
• Find the Privoxy install directory (probably "c:\program files\privoxy") and copy this custom "user.action" file there, replacing an existing file.
• Restart Privoxy.
• Open Internet Explorer, select "Tools" -> "Internet Options".
• Select "Connections" then "LAN settings".
• Select "Use a proxy server for your LAN", and enter "127.0.0.1" as the address and "8118" as the port.
• Click Ok twice.
• Confirm that Privoxy is working by visiting two sites in Internet Explorer:
  • www.google.com should be blocked (you should see an error message)
  • www.steampowered.com should not be blocked - it will open correctly
• Confirm that your usual web browser is unaffected by visiting the same sites.

Danger! -- you are changing the global Windows proxy settings. These don't affect Firefox or Windows Update, and Steam works normally, but many other Windows applications are affected, including Opera, and some VOIP programs and instant messengers. If you use these applications and they don't work properly, you should right click on the Privoxy icon in your system tray and untick Enable. Then your applications will work normally. Tick Enable again when you are playing a game.

Another option is to add new web sites to the whitelist by editing "user.action". This is time consuming; I don't recommend it.

Conclusion

Privoxy provides a neat way to filter Internet access from Internet Explorer, enforcing a whitelist of permitted sites. This allows you to be sure that game servers are not able to infect your computer with malware while you play. Hopefully, the ability to disable the Internet Explorer mini browser will be built into Steam at some point in the future.

		Copyright (C) Jack Whitham 1997-2008