Steam- How to make it more secure?

I use Steam and I was wondering if there's a way to make it more secure. I've tried making it a guarded application with AppGuard, but it won't work. Sandboxing can be a little tricky if you want to save your game progress. I do have it protected with EMET, but is that enough?

Does anyone have any idea how to make Steam more secure?

(I'd just like to add, I've never had any problems with Steam.)

 

Steam is now multi-platform (Linux, Mac, Windows). I can remark on the Windows version. When it's installed, it gives the Users group a Full Control permission to its folder in the Program Files directory, which is NOT a good idea from a security standpoint. For those who use Software Restriction Policy, this creates a loophole in our SRP protection, among other things.

Anyway, my stopgap solution is to reset the permissions on Steam's folder back to the proper level for the Users group: read and execute, but not write or create. This is a great way to keep your games from working! See, now it's REALLY secure When I do want to run a Steam game, I launch Steam itself using Run As Administrator, which is not ideal either, but at least I don't have a highly-obvious loophole in my SRP this way.

 

Which executables have you added under EMET? Steam.exe, online games, and what else?

Sorry, I cannot offer any specific help other than what you probably know (keep system secure, software updated, etc.)

 

@mechBgon, I hadn't realised quite how vulnerable Steam can be. I have noticed that anytime I start a new game, it's given immediate and total access through my firewall.

@J_L, I've got Steam.exe covered by EMET but I find tampering a bit to much with the games creates very odd effects such as existing a game and your screen size for Windows having completely changed.

I guess this is a case of trusting Steam and hoping they keep things in order.

 

I kinda gave up on it. I've separated the Admin account (no elevation), and I really don't want to switch to admin just to play a game. You're dealing with a wide range of applications, as every game is different. Some are quite old, and many don't have digital signatures. Save files are often in Users, but scattered all over the place.

Even with modern games, did you know that Steam Cloud games store their local save files under the application folder?

 

It's simple to fully secure a Steam installation.

1. Remove the explicit Full Control to SYSTEM permission from the Steam folder. It's not necessary since it's inherited from Program Files.

2. Create a new group called Steam Administrators and add the users (or domain groups) whom you want to be able to update Steam games to it. As for updating Steam itself, I believe Steam Client Service takes care of that for any user since updates are mandatory and anyone should be able to launch Steam.

It's important to create a new group even if you are simply going to add computer administrators to it because a custom group name will allow Steam to update games without using Run as Administrator since Steam silently fails instead of prompting for elevation.

3. Change the explicit Full Control to Users permission on the Steam folder to Steam Administrators instead.

4. Recursively change the owner of the entire Steam folder to SYSTEM and replace all its child object permissions with inherited permissions.

5. Recursively change the owner each of the userdata\<userid> and steamapps\<username> folders to their respective user accounts. There effectively become their home directories within Steam thanks to the CREATOR OWNER permission inherited from Program Files. You could optionally link these folders to each user's home directory instead.

Assuming your Program Files permissions are at default everything should work fine. If a member of Steam Administrators launches Steam, games will update automatically without elevation. Normal users will be able to launch Steam and save games but not update games.

Remember to log out after adding your self to Steam Administrators or it won't take effect.

 

I would be VERY careful when doing any form of tampering with steam, or any steam games. Remember that a lot of them use an anti cheat mechanism called VAC (Valve Anti-Cheat) which is specifically designed to detect unusual changes like DLL injecting (EMET). If you're worried, don't risk it. In my opinion it's completely pointless and irrelevant making such changes to non-internet facing software.

 

I just want to add this to your thread. I used EMET on steam before and I got banned on my test account. There was nothing but steam, emet and counter strike. Just a warning... I had a thread too on steam but it got locked. You can still read it though.

http://forums.steampowered.com/forums/showthread.php?t=2754344

 

I'm not surprised. Like I've said previously do NOT add EMET to any games or any game related software.

 

If they have restrictive anti-cheat software or DRM. I personally don't bother with MMO (w/o offline mode anymore) or commercial games so the risk isn't much higher than other software. Plus, I've yet to see an incident with adding only Steam in EMET.

 

Well it's your risk to take. But not everyone is going to automatically know the cause of a ban, suspension, or otherwise. So expecting it to be documented somewhere by a person/forum post/etc is flawed.

 

The whole issue was caused by injected code. Since only Steam is under EMET one would logically assume only the platform is affected unless EMET somehow modified Steam's injected code without noticeably affecting other parts of it. Therefore, we'll see Steam errors rather than game errors that'll ban you. Overall the risk is worth far less than the reward for me.

 

And why is it not secure enough as it is?
What exactly do you feel the new to secure there?
Mrk

 

What reward do you get from adding Steam to EMET exactly? I don't see how such a "reward" could outweigh having an account with potentially hundreds of games suspended.

 

Can you predict exploits? Does Steam access the Internet?

If you read my previous post, then it's quite obvious how much Steam is worth to a casual gamer like me.

 

No, it doesn't. It dials out to Valves servers, nothing else. By this flawed logic, you might as well add any and every application in existence to EMET. In today's age pretty much all of them dial out at some point, for update checking or other reasons.

They are not surfing the internet or loading foreign files/code.

If you say so.

 

And Valve's servers are completely secure. And every application needs Internet access, more than just the update portion I blocked.

I have nothing to lose using EMET on Steam (nor did that ever happen, who's logic is flawed now?) and protection gained. You're the ones making a big deal trying to dismiss this minor choice.

 

I remember when Valve got hacked a few months ago.

 

Valves forums got hacked, nothing unusual due to their use of vBulletin forums. Nothing else was touched, and its why Valve transitioned to their own home-made forum system. Now they don't have to rely on someone elses code.

If someone hacks Valves servers, EMET isn't going to help you. They would have the potential to make Steam auto-update to malware. Your statement is nothing but a misunderstanding of how exploitation works, but like I said earlier, it's your risk to take.

 

You never said anything against Steam being exploitable, other than the usual unlikely. Nor does EMET have no effect on malware itself.

The risk is overblown, the reward is underwhelmed. In the end, it's clearly a net positive for me.

 

It does access, but then ... so what?
What kind of problem do you really foresee?
Mrk

 

@FD,

Remember that post about clout? Tip: You don't know how exploitation works either.

Steam opens a few ports, it takes in input, it is exploitable. That's simply the fact. Is it likely? IDK, I don't know a lot about steams setup, how it does ads, the userbase, etc. I'd guess it's quite unlikely.

But there is potential. And if someone wants to remove that potential, or lessen it, then who really cares?

 

That's rich coming from some of the posts you've made, :x

What was that whining about long passwords being enough? Or thinking a far away DNS server wouldn't affect your performance?

I wouldn't play that card if I were you.

Where did I say Steam wasn't exploitable?

It is seriously unlikely. Also, it doesn't have ads, anywhere.

I'll repeat myself: If you honestly think risking an account suspension by triggering Steam's anti-tampering or anti-cheating mechanisms is worth it, go right ahead. I wouldn't recommend it under any circumstances, nor do I see why it would be needed other than the usual tin foil add-everything-to-EMET people.

 

The Steam client is built on Chromium Embedded Framework. It is essentially a web browser when it accesses the store, and it can be used to browse other sites when in the overlay or in Big Picture mode. It uses Flash for many of the game trailers. However, it should be limited to Steam's own sites unless you make it a point to connect to something else.

Steam's store/community pages don't seem to serve ads from third parties, as the only JavaScript is from steampowered.com or steamcommunity.com, and our old friend google-analytics.com (according to NoScript).

I agree that I wouldn't want to risk an account suspension to make it more secure though.

 

Please, what all of you don't understand is that both scenarios are highly unlikely, or else my account would've been banned a long time ago. It all depends on how much you value your Steam account vs your system.

@Mrkvonic: Already answered, just read the posts above.