How should a reasonably secure/private Windows gaming PC look like?

Proposed alternate title: Finding privacy in the various gaming ecosystems

Preface

Looking back at the anniversary of the release of the Steam Deck, it is viewed as an overwhelming success that strives on improving its gaming experience. For the first time since the inception of the Steam machines way back in 2015, Linux may have finally be viewed as an actual viable alternative to the Windows gaming platform. Indeed, the vast 70-80+ of the most played games in Steam is now playable through the improvements of proton and the Linux gaming community.

Use cases for Windows gaming

Despite the advances of gaming Linux, it still lags behind in some areas, notably HDR, VRR and other things like the lack of widespread support for adjusting the DPI and RGB of gaming mice. Anti-cheat software has been promised support for Linux and Valve has made it available as a one-click toggle but not all game publishers want Linux gamers. It seems that some gaming publishers want inclusivity in their gaming, but not those that identify as Linux gamers.

Not everyone wants to convert to Linux, sadly, despite the obvious benefits. Maybe the children want to play a game that is not supported in Linux with their school friends. Perhaps there is a spare Linux PC in the house that sits unused. Or there is a strong desire of internally justifying a newly purchased monitor and graphics card by using its features.

Windows gaming prerequisites

Before we dive into gaming, a quick review of the Windows Guide would have us prepare:

• An Enterprise/Education version of WIndows 11. If unavailable, the Pro is preferred over the Home version.
• Hardening related to BitLocker encryption should be considered especially for laptops, otherwise, a desktop
• A separate administrator account, only used for installing, uninstalling software and providing a means to do other software maintenance requiring elevated privileges.
  • UAC must be set to the highest setting.
  • All installs should be done via winget CLI as much as possible.
  • Avoid hardware driver adjacent software when you can and just rely on the OS’ ability to find drivers for you.
• A regular (non-admin) account where the actual games and their respective game storefront client will be installed.

PC Game storefronts

Ideally, the most private way to purchase a game is let someone else (because CCTVs), preferably someone you don’t know, go through the front door of the game developer/studio themselves and paying with cash then getting a CD/DVD copy of the game without any DRM of sorts.

Since the death of physical media and in-store purchases, most gamers have collectively decided to just go with online game storefronts for purchases and indeed benefit from the convenience and the various discounts and deals particularly around holidays season.

And these are the game storefronts that we have these days:

• Steam
• Epic Games Store
• GOG
• The Humble Store
• itch.io
• Origin (by EA)
• Ubisoft Connect
• Battle.net (by Activision-Blizzard)
• Windows Store (by Microsoft and all their recently acquired XBox exclusive partners).
• Riot Games

There are also online retailers that buy games in bulk from the above publishers and resell them like:

• Fanatical
• Green Man Gaming
• GamersGate
• IndieGala
• and other, shadier key resellers that is so bad, game devs are actually telling people to pirate their games instead

But which one to pick?

A quick cross reference to Terms of Service, Didn’t Read shows the worst offenders were the larger tech companies (with no surprise) being Apple, Google with their respective storefronts, and followed by Activision-Blizzard (they asked for an ID picture scan prior to account deletion).

Steam, unsurprisingly got a Grade D as they work with other banks and other gaming companies, they are eventually required by law to collect and share personal information because they take credit cards and other payment methods.

The rest of the game storefronts in list above is currently ungraded/unscored in TOSDR. Of particular note are the following:

• Riot Games, home of the much maligned Vanguard kernel-level anti-cheat, which funnily enough, also catches cheaters from other non-company related games (at least according to LTT’s WAN Show).
• Epic Games has also been graciously giving away free copies of proper Triple-A games almost weekly at a more or less regular intervals since its inception with the hope of winning the long term battle of having people with a large amount of free games staying within their ecosystem (and avoiding avoid getting a proper stockpile of Steam games). Unfortunately Epic is doing shenanigans with snooping around your PC and looking at your steam profile surreptitiously.
• itch has probably the least amount of issues, despite its ungraded state. Unfortunately, itch focuses on indie games and pretty much none of the triple-A games are available there.
• GOG does not have DRM software, something that could be a potential source for privacy and security issues. This is probably the better balance between game selection and privacy/security with a more bias towards gaming than actual privacy or security. To make things worse they seem to be Linux averse, but thankfully, games could be run without their client and instead use Wine and/or Lutris - but this is a separate unrelated issue.

But I want all of them on my Windows machine!

The easiest way to do it is to put it all on one user login. Unfortunately with companies like Epic Games that were caught snooping around or with invasive anti-cheat like Vanguard running during startup with the added opaqueness of the Windows, I think it could be best to just separate each storefronts installed as different users to avoid them snooping at each other.

I want my Discord as well!

Discord is particularly creepy because it listens and reads through your messages but it needs an account and a cellular number that would take effort to anonymize. And it is sort of useless because your friends who don’t really care about privacy will say your real name in voice chat or type your name to address you anyway. It is weird to tell them to call you a different name and even then, they will likely not comply.

If you have to run Discord, you can run it as web client if you absolutely have to but you will not get the cool features it has such as automatically detecting the current game playing and also lose the ability to share screen with friends, should they ever need it. There is likely no benefit in running it in a dedicated phone, de-Googled or not.

Alternatively there is Mumble and TeamSpeak, both also ungraded in the TOSDR site. Both also requires knowledge in deploying server software. Keeping it running securely and with up to date patches is another issue altogether. Pushing players to run either of them will go against the network effect that Discord also has, increasing the friction of adoption. You could do Matrix bridges if you want it in your Element chat client but that also takes work and does not include voice comms. You could run with less technical know how by paying them to host your bridge but it also takes time, effort and technical know-how to do so.

Another alternative is you could stick to Steam for voice chats. But I am unsure if the chat is monitored and recorded. Without proof, it feels like it likely is doing the same as Discord because the HQ lives in a Five Eyes country.

While we are at it, you could use Signal for group voice calls but the latency will probably be terrible. The same could be used for text messages as well as any other secure communications software in the Recommendations page.

And that is it! The TLDR is probably:

• Avoid piracy of any sort to avoid malware.
• Use same hardening as the windows guide.
• Buy from GOG if you have to, to avoid intrusive DRM and avoid the rest, if you can.
• Older console emulation is also viable. Sourcing the games ROMs are a potential ethical issue, especially if you do not own them.
• Prefer to install game storefront clients in separate user logins if using multiple game storefronts.
• Use voice and chat comms as seen in the Recommendations. Yes, the experience will probably be terrible if you can even get people to use it.

Emulation and that other shady alternative

Summary

Yet also…

there800×450 23.7 KB

There is another… way to game.

Emulation is sort of a dirty word, and while a lot of the nuance is lost in the vast online discussion out there, more than I could ever put in the effort to understand it. Suffice to say that it is a tool, something we can use in the name of privacy. Another requirement is that you need to have the firmware/BIOS of the console you are emulating and getting them might actually break some laws.

At any rate, I think the best in class of general gaming emulation is RetroArch. I haven’t really had a good dig at it because of the sheer amount of games in my Steam Library. I’ve really stopped pirating games because Steam made it cheaper and easy to access.

Speaking of piracy, needless to say, as with sourcing your Windows OS, piracy is a big no no and has always been a vector of PC malware infection. If you have to, at least borrow someone’s account that has a GOG game you want. Don’t torrent GOG games too, for the same reason.

Consoles:

will move these in its own different section

Mobile

these as well

Probably the most important thing is to make sure you only use your gaming machine for gaming. Put it on a separate VLAN; the easiest way to do this for most routers is to enable your guest network and connect it to that exclusively. The current situation with anticheat and the fact that you’re trusting a lot of random software, some of which might be very old and no longer supported, means you need to treat your gaming machine like a quarantine zone.

Edit: Forgot to add, ideally don’t do any transactions on the gaming machine. Either buy/download games with no DRM and transfer to your machine with a USB or have a separate steam account that doesn’t have any financial or personal info on it and gift Steam games from one account to the quarantined account.

If you do decide to write the guide, someone else or I could help convert it over to the correct format and make a PR out of it.

Pretty cool advice, however, I don’t see the purpose of fully hardening Windows as described in the guide. Encryption will make gaming performance worse, and I assume it wouldn’t be very beneficial if you’re using the hard drive with the OS exclusively for gaming (as you should). On the other hand, this changes if you’re using a gaming laptop.

If you have remaining funds in you Steam account and a thief steals your dedicated gaming device, they could buy games and gift it for resale.

They could also steal whatever browser session cookies and might do identity theft.

I do not know how much performance is lost in an encrypted vs unencrypted machine, particularly in Windows. I am thinking it might not be significant if you are on an NVME SSD. I will report back as soon as I am finished.

@anon30510143

That is an excellent way to do it! That should remove the need to put in device encryption to prevent someone from stealing finances and potentially, financial information from your gaming device. I should add that some Steam Cards/Gems are also worth stealing and should be gifted back to the financing account.

With regards to VLANs, I am currently doing readings in order to do that correctly on my homelab this weekend. I’ve already got a pfsense router, managed switch and a wireless AP flashed with OpenWRT. I just dont know how to pipe it together quite properly yet. I dont know if there is an easy guide to do it out there and testing if it should be straightforward (which is my way of saying I hope someone can do it too).

@noClaps

Please do.

This is for the community and I have had this on my mind for a long long time and I was not able to do until I read the Windows Hardening guide and had some quiet alone time. It is feels a bit informal and meme-y with the Red Yoda and you may do some rewrite to make it more serious as you feel is needed.

Thank you so much!

Haha I didn’t even think of gift cards that’s probably a better way to do it, discard what I said lol. Sounds like you have a nice setup going, @dngray is the resident networking expert so maybe he has some pointers.

As a gamer and IT person I would say these are fair observations but we should also consider a more approachable and realistic way to introduce gamers to privacy. Anyone who wants to play a game should not be told to use a dedicated device inside a VLAN or to avoid playing because it’s not DRM free or has an anticheat. Compromise is the key and we should explain what are the risks involved and what can be done to mitigate them.

Gifting many money/games between accounts could lead to an account ban because of suspicious activities so watch out for the ToS. If you want to use a similar approach use Steam family sharing or, as suggested, buy DRM free games.

Encryption should always be used for laptops, it will impact performance a little(eg.loading times) but with modern hardware you should be fine.

Anyway, I think we have a good starting point.

If you have the hardware, put it in a VM.

But this won’t work if you want to play multiplayer games with anticheat. IMO the best bang for your buck is a separate drive to dual boot to just for gaming.

Question: how bad is it to daily drive an admin account, if I have UAC set to the highest level?

Depends on how much you fiddle with your settings. It geta annoying quick if your admin logon password is long.

If your machine usage and fiddling is already settled down it shouldn’t even bother you at all.

For the usage above, if UAC is bothering you a lot, you are probably using your account wrong.

Anything other than the highest UAC setting allows malware to instantly gain admin access.

This site has good configuration recommendations for Windows from a security perspective:

Riot Games, home of the much maligned Vanguard kernel-level anti-cheat

honestly, as far as kernel anticheats go, riot’s probably the best in terms of privacy. They claim everythings handled locally and no personal info is transmitted, u have to trust them sure, but i’d be far more cautious about games like warzone.

Epic Games

fortunately, some great community clients exist for this. you can just uninstall egs entirely and use GitHub - Heroic-Games-Launcher/HeroicGamesLauncher: A Native GOG, Amazon and Epic Games Launcher for Linux, Windows and Mac. which is open source.

GOG

if a game’s on gog, i’d for sure prioritize it. Great store.

1. Epic Games can be replaced with Heroic Launcher for most part

2. Using a DNS filter is mandatory to preserve your privacy, because not only the OS itself but also the Game Launchers & games themselves often contain a lot trackers and telemetry

→ Adguard Home, piHole, NextDNS, Portmaster, etc.

I use Kodo Pengins Mainlist which also covers a wide range of other applications but you can also use Kodo Pengins Gaming List.

So, we should consider Linux right? How would be SteamOS for privacy? I know Valve probably adds telemetry, but likely not has bad as windows.

As I have said, this is a guide specifically for windows. I will tackle the topic of gaming in other platforms soon.

Actually Mohamad20ZX already made a guide for Android games Check it out here

i suppose if you’re getting games from itch.io, especially ones from random people, you can use the itch sandbox which is an option in the itch.io launcher to play the games. The sandbox · The itch.io app book - itch.io

For other’s, sandboxie plus is always an option.

Depending on your gaming needs consider cloud gaming in the browser. No evil software with kernel level anti-cheats to install, no spyware on your machine.

The 2 big players right now are Xbox Cloud gaming via the GamePass Ultimate and Nvidia’s GeForce Now.

That’s actually a good suggestion for privacy even though gamers tend to shun it because of latency issues.

@Skyman12 I dont have an account there. Do you think we could get a permission to repost that guide here? I could also do a complete rewrite.

I should take a look at that sandbox software when I have time. Write up is on pause beacuse I was a bit busy last week and this week.