Steam- How to make it more secure?

Discussion in 'other security issues & news' started by merisi, May 15, 2013.

Thread Status:
Not open for further replies.
  1. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    I use Steam and I was wondering if there's a way to make it more secure. I've tried making it a guarded application with AppGuard, but it won't work. Sandboxing can be a little tricky if you want to save your game progress. I do have it protected with EMET, but is that enough?

    Does anyone have any idea how to make Steam more secure?

    (I'd just like to add, I've never had any problems with Steam.)
     
  2. mechBgon

    mechBgon Registered Member

    Joined:
    Mar 2, 2013
    Posts:
    68
    Location:
    USA
    Steam is now multi-platform (Linux, Mac, Windows). I can remark on the Windows version. When it's installed, it gives the Users group a Full Control permission to its folder in the Program Files directory, which is NOT a good idea from a security standpoint. For those who use Software Restriction Policy, this creates a loophole in our SRP protection, among other things.

    Anyway, my stopgap solution is to reset the permissions on Steam's folder back to the proper level for the Users group: read and execute, but not write or create. This is a great way to keep your games from working! :doubt: See, now it's REALLY secure :cautious: When I do want to run a Steam game, I launch Steam itself using Run As Administrator, which is not ideal either, but at least I don't have a highly-obvious loophole in my SRP this way.
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Which executables have you added under EMET? Steam.exe, online games, and what else?

    Sorry, I cannot offer any specific help other than what you probably know (keep system secure, software updated, etc.)
     
  4. merisi

    merisi Registered Member

    Joined:
    Dec 17, 2012
    Posts:
    316
    @mechBgon, I hadn't realised quite how vulnerable Steam can be. I have noticed that anytime I start a new game, it's given immediate and total access through my firewall.

    @J_L, I've got Steam.exe covered by EMET but I find tampering a bit to much with the games creates very odd effects such as existing a game and your screen size for Windows having completely changed.

    I guess this is a case of trusting Steam and hoping they keep things in order.
     
  5. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    I kinda gave up on it. I've separated the Admin account (no elevation), and I really don't want to switch to admin just to play a game. You're dealing with a wide range of applications, as every game is different. Some are quite old, and many don't have digital signatures. Save files are often in Users, but scattered all over the place.

    Even with modern games, did you know that Steam Cloud games store their local save files under the application folder?
     
  6. KurianOfBOrg

    KurianOfBOrg Registered Member

    Joined:
    Jun 10, 2013
    Posts:
    2
    Location:
    India
    It's simple to fully secure a Steam installation.

    1. Remove the explicit Full Control to SYSTEM permission from the Steam folder. It's not necessary since it's inherited from Program Files.

    2. Create a new group called Steam Administrators and add the users (or domain groups) whom you want to be able to update Steam games to it. As for updating Steam itself, I believe Steam Client Service takes care of that for any user since updates are mandatory and anyone should be able to launch Steam.

    It's important to create a new group even if you are simply going to add computer administrators to it because a custom group name will allow Steam to update games without using Run as Administrator since Steam silently fails instead of prompting for elevation.

    3. Change the explicit Full Control to Users permission on the Steam folder to Steam Administrators instead.

    4. Recursively change the owner of the entire Steam folder to SYSTEM and replace all its child object permissions with inherited permissions.

    5. Recursively change the owner each of the userdata\<userid> and steamapps\<username> folders to their respective user accounts. There effectively become their home directories within Steam thanks to the CREATOR OWNER permission inherited from Program Files. You could optionally link these folders to each user's home directory instead.

    Assuming your Program Files permissions are at default everything should work fine. If a member of Steam Administrators launches Steam, games will update automatically without elevation. Normal users will be able to launch Steam and save games but not update games.

    Remember to log out after adding your self to Steam Administrators or it won't take effect.
     
  7. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    I would be VERY careful when doing any form of tampering with steam, or any steam games. Remember that a lot of them use an anti cheat mechanism called VAC (Valve Anti-Cheat) which is specifically designed to detect unusual changes like DLL injecting (EMET). If you're worried, don't risk it. In my opinion it's completely pointless and irrelevant making such changes to non-internet facing software.
     
  8. A21

    A21 Registered Member

    Joined:
    Aug 23, 2013
    Posts:
    1
    I just want to add this to your thread. I used EMET on steam before and I got banned on my test account. There was nothing but steam, emet and counter strike. Just a warning... I had a thread too on steam but it got locked. You can still read it though.

    http://forums.steampowered.com/forums/showthread.php?t=2754344
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    I'm not surprised. Like I've said previously do NOT add EMET to any games or any game related software.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    If they have restrictive anti-cheat software or DRM. I personally don't bother with MMO (w/o offline mode anymore) or commercial games so the risk isn't much higher than other software. Plus, I've yet to see an incident with adding only Steam in EMET.
     
  11. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Well it's your risk to take. But not everyone is going to automatically know the cause of a ban, suspension, or otherwise. So expecting it to be documented somewhere by a person/forum post/etc is flawed.
     
  12. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    The whole issue was caused by injected code. Since only Steam is under EMET one would logically assume only the platform is affected unless EMET somehow modified Steam's injected code without noticeably affecting other parts of it. Therefore, we'll see Steam errors rather than game errors that'll ban you. Overall the risk is worth far less than the reward for me.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    And why is it not secure enough as it is?
    What exactly do you feel the new to secure there?
    Mrk
     
  14. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    What reward do you get from adding Steam to EMET exactly? I don't see how such a "reward" could outweigh having an account with potentially hundreds of games suspended.
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Can you predict exploits? Does Steam access the Internet?

    If you read my previous post, then it's quite obvious how much Steam is worth to a casual gamer like me.
     
  16. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    No, it doesn't. It dials out to Valves servers, nothing else. By this flawed logic, you might as well add any and every application in existence to EMET. In today's age pretty much all of them dial out at some point, for update checking or other reasons.

    They are not surfing the internet or loading foreign files/code.

    If you say so.
     
  17. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    And Valve's servers are completely secure. And every application needs Internet access, more than just the update portion I blocked.

    I have nothing to lose using EMET on Steam (nor did that ever happen, who's logic is flawed now?) and protection gained. You're the ones making a big deal trying to dismiss this minor choice.
     
  18. max2

    max2 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    339
    I remember when Valve got hacked a few months ago.
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    Valves forums got hacked, nothing unusual due to their use of vBulletin forums. Nothing else was touched, and its why Valve transitioned to their own home-made forum system. Now they don't have to rely on someone elses code.

    If someone hacks Valves servers, EMET isn't going to help you. They would have the potential to make Steam auto-update to malware. Your statement is nothing but a misunderstanding of how exploitation works, but like I said earlier, it's your risk to take.
     
  20. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    You never said anything against Steam being exploitable, other than the usual unlikely. Nor does EMET have no effect on malware itself.

    The risk is overblown, the reward is underwhelmed. In the end, it's clearly a net positive for me.
     
  21. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    It does access, but then ... so what?
    What kind of problem do you really foresee?
    Mrk
     
  22. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    @FD,
    Remember that post about clout? Tip: You don't know how exploitation works either.

    Steam opens a few ports, it takes in input, it is exploitable. That's simply the fact. Is it likely? IDK, I don't know a lot about steams setup, how it does ads, the userbase, etc. I'd guess it's quite unlikely.

    But there is potential. And if someone wants to remove that potential, or lessen it, then who really cares?
     
  23. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,854
    That's rich coming from some of the posts you've made, :x

    What was that whining about long passwords being enough? Or thinking a far away DNS server wouldn't affect your performance? o_O

    I wouldn't play that card if I were you.

    Where did I say Steam wasn't exploitable?

    It is seriously unlikely. Also, it doesn't have ads, anywhere.

    I'll repeat myself: If you honestly think risking an account suspension by triggering Steam's anti-tampering or anti-cheating mechanisms is worth it, go right ahead. I wouldn't recommend it under any circumstances, nor do I see why it would be needed other than the usual tin foil add-everything-to-EMET people.
     
  24. SirDrexl

    SirDrexl Registered Member

    Joined:
    Apr 14, 2012
    Posts:
    545
    Location:
    USA
    The Steam client is built on Chromium Embedded Framework. It is essentially a web browser when it accesses the store, and it can be used to browse other sites when in the overlay or in Big Picture mode. It uses Flash for many of the game trailers. However, it should be limited to Steam's own sites unless you make it a point to connect to something else.

    Steam's store/community pages don't seem to serve ads from third parties, as the only JavaScript is from steampowered.com or steamcommunity.com, and our old friend google-analytics.com (according to NoScript).

    I agree that I wouldn't want to risk an account suspension to make it more secure though.
     
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Please, what all of you don't understand is that both scenarios are highly unlikely, or else my account would've been banned a long time ago. It all depends on how much you value your Steam account vs your system.

    @Mrkvonic: Already answered, just read the posts above.
     
Loading...
Thread Status:
Not open for further replies.