Recommendations for Dalet Solutions
Disclaimer
The information provided in this document contains proprietary and confidential information that is the property of Dalet. Distribution of any information contained in this document to third parties including, but not limited to contractors, system integrators, and other vendors is strictly prohibited without prior written consent of Dalet.
Product specifications and availability are subject to change without notice. Dalet is a registered trademark owned by Dalet. All other brands and trademarks are those of their respective owners.
Please note that in the versioning history of this article below, you can access information relevant to earlier Dalet software generations and their requirements. The active/future versions of this article will refer only to the current state of affairs.
The purpose of this document is to recommend appropriate hardware, software components as well as various system variables for a platform running Dalet. General hardware and software evolution, as well as particular site requirements may call for modifications of the technical details or general recommendations included in this document.
The information included in this document is subject to change. The recommendations below are broad guidelines and not a certified off-the-shelf solution or validated shopping list. In principle, each critical hardware component of a server (HBA “Host-Bus-Adapter” provider/model, NIC provider/model, RAM sizing, video card provider/model etc.) has to be validated by Dalet.
Please note that depending on the authentication level, some articles mentioned may not be accessible to you. Contact Dalet support if needed.
Long Term Support Plan, Dalet Solutions Release History and Versions
- Long Term Support Plan (LTSP)
- Dalet Supported Operating Systems
- Permissible MSSQL Versions Per Dalet Version Revision
Security Recommendations
Galaxy / Amberfin / Cube AV Security Recommendations
To ensure optimal performance, the Galaxy system requires certain media file types to be excluded from real-time antivirus scans. Such scans can introduce latency or cause access failures in some cases. The specific file extensions to be excluded may vary depending on the customer's workflow and the video formats they use.
Commonly recommended media file extensions for exclusion include: MXF, MOV, M2V, MPD, M4A, M4V, M4S, WAV, MP4, MP2, MP3, M3U8, IDX, VOL, TCD, IXF, ITI, TGA, PNG, EDL, SRT, and HEP.
Additionally, for each of these extensions, a parallel extension with the suffix "WREC" should also be excluded (e.g., MXFWREC for MXF). This additional extension is used during "While Operations."
Dalet does not have specific requirements for antivirus and SQL Server configurations. Instead, we recommend following the guidelines provided by Microsoft, which can be found at the following link: Configure antivirus software to work with SQL Server - SQL Server | Microsoft Learn
Any previous recommendations regarding process, folder, or other exclusions are no longer advised and should be disregarded.
Here is an example of PowerShell code to apply the recommended file extension exclusions in
Windows Defender:
For any third-party solutions integrated with Galaxy, the same recommendations apply (unless stated otherwise by the vendor). Please consult the vendor to determine the required media file extensions that should be excluded.
BRIO Video Server AV Security Recommendations
The Brio Video appliance comes pre-configured and hardened, using Windows Defender as its antivirus solution. By default, Brio software executable files are excluded from scanning. However, this exclusion can be removed, and the provided script for file extensions can be deployed on the Brio server as an alternative.
Since Brio is a Video Server Appliance, it should be treated as such and should not be connected to any endpoint management system. Updates to its Windows Defender should be managed via Windows Update (process discussed in a different section). In the event of a 0-day vulnerability, the security intelligence update can be manually downloaded and deployed from the following link:
Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence
Dalet Products & Windows Updates
As Dalet products are being used in sensitive real time environments,
Dalet do not recommend deploying Windows Updated automatically/unattended.
Windows Updates deployment should be scheduled and agreed with the Dalet administration team on-site.
Regular Security Updates and Notifications
In addition to 0-day security updates (that should be deployed asap),
Microsoft releases its updates every second Tuesday of the month (commonly known as Patch Tuesday). Dalet recommends waiting at least an additional week before deploying these updates, making it the third Tuesday of the month.
The Customer’s IT team should inform the Dalet administration team when such updates are applied to ensure proper follow-up and address any issues that may arise from the updates
.
Brio Video Server Appliance Update Process
For Brio Video Server Appliances, the above recommendations still apply. However, all updates (including 0-day security updates) should be performed using a command line updating tool called “WUP.” After regular Windows updates (Patch Tuesdays), WUP should be launched again after a reboot to ensure no further updates are needed.
Please obtain the latest WUP script from the WIKI or via Dalet Support.
Running Windows Update independently on Brio Appliances might result in failure or damage to the Brio operating system.
Brio Server Appliance Hardening
To minimize the Brio Server external footprint, Configure Windows Firewall with the followings:
Brio Appliance Service | REST | TCP | gRPC |
Dalet Brio Amazon S3 copier | 9081 | ||
Dalet Brio Anywhere Copier | 9082 | ||
Dalet Brio Avid copier | 9083 | ||
Dalet Brio Database Server | 9120 | ||
Dalet Brio FTP copier | 9084 | ||
Dalet Brio Router Controller | 9111 | ||
Dalet Brio VTR Controller | 9170 | ||
Dalet Brio Backup Copier | 9080 | ||
Dalet Brio NMOS | 9300 | ||
Dalet Brio NMOS Connection management | 9302 | ||
Dalet Brio NMOS Registration | 9301 | ||
Dalet Brio Aspect Ratio Changer | 8080 | ||
Dalet Brio Extractor A..H | 9031..9038 | ||
Dalet Brio Mover A..H | 9041..9048 | ||
Dalet Brio RTP Mosaic Server | 9101 | ||
Dalet Brio RTP Gateway | 9102 | ||
Dalet Brio Streaming Server Player A..H | 8080..8087 | ||
Dalet Brio Streaming Server Recorder A..H | 8090..8097 | ||
Dalet Brio VDCP A..H | 10521..10528 | ||
Dalet Brio VDCP Gateway | 10500 | ||
Dalet Brio FTP Server | 21 | ||
Dalet Brio Portal | 9200 | ||
Dalet Brio Player API | 9160 | ||
Dalet Brio File System API | 9150 | ||
Dalet Brio Logs Collector | 9180 | 9009 | |
Dalet Brio Socket logging server | 11111-11153 | ||
Dalet Brio Sentinel Service | 9010 | ||
Dalet Brio Manager | 9100 | ||
Dalet Brio Player A..H | 9011..9018 | ||
Dalet Brio Recorder A..H | 9021..9028 | ||
Dalet Brio FIMS Capture Service | 9000 | ||
Dalet Brio FIMS Transfer Service | 9001 | ||
Dalet Brio Ingest Scheduler | 9140 | ||
Dalet Brio Streaming Monitor | 8433 | ||
SMB Protocol (File and Printer Sharing) | 445 | ||
SMB Protocol (SMB Over NetBios) | 139 |
Brio Drive Share Naming and Mounting Recommendations
The Brio V:\ drive share name should include a $ at the end (e.g., media$). This will hide the share from malware network scans. Additionally, it is recommended to never mount the Brio share as a drive on any workstation or server.
Alternative File Transfer Protocol for Brio Video Server Appliance
While Dalet recommends using SMB as the default protocol for file transfers to and from the Brio Video Server Appliance, you can disable SMB entirely and use the Brio FTP Server instead.
(Note: SMB 1.0 is disabled by default on the Brio Video Server Appliance.)
Managing Administrative Shares on Windows Servers
Brio Video Server Appliance is based on Windows Server Technology,
Windows Server hidden administrative shares are automatically created to allow administrators, programs, and services to access and manage resources. However, these administrative shares can pose a security vulnerability and could be disabled.
Disabling Administrative Shares can be done via mdoifying the registry HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\AutoShareWks to 0
(Disabling Administrative Shares does not disable the IPC$ Share, Although this share is not used to access files directly, Ensure that Anonymous access to this share is disabled, Alternatively, You can remove the IPC$ share completely by deleting it via net share IPC$ /delete)
Network Traffic Management for Brio Video Server Appliance
For customers who do not run production servers on a Broadcast Data Network separate from the rest of the network (users), an additional layer of protection can be achieved. This can be done by limiting traffic to and from the Brio Video Server appliances to specific hosts (such as IngestManager and Broadcast Servers) using Windows Firewall or network switches.
Brio/Galaxy Operating Protocol
For Galaxy Version 376 and above, Brio MediaAgents and Brio Servers should be moved to GRPC operations. If this is not possible, DCOM Authentication Level should be configured to Packet Integrity. Brio Servers must also be configured to this same level.
Galaxy Hardening
Data Execution Prevention Configuration for Galaxy Servers
Windows Data Execution Prevention (DEP) must be disabled on Galaxy servers. If this poses an issue for the customer, it should be configured to the minimal possible setting for essential Windows programs and services. There is no need to disable DEP on the client side.
Firewall Configuration for Windows 2016 and Up
For customers using Windows 2016 and later, it is no longer necessary to disable the Base Filtering Engine or Windows Firewall. Instead, customers should ensure that the Windows Firewall (or any other firewall) has the appropriate ports opened.
Dalet Service User Requirements
The Dalet Service User should have access to all domain resources that the agent needs, and it must have local admin rights on the machine it runs from. This user account, used to run the Dalet Service, should not be used for daily activities by any individual. It is recommended to deny local logon for this account.
To avoid the need for periodic password changes, which might require a restart of the agents or site downtime, customers can explore using Managed Service Accounts (MSA), Group Managed Service Accounts (gMSA), or standalone Managed Service Accounts (sMSA).
Brio Drive Share Naming and Mounting Recommendations
The Galaxy lsu share names should include a $ at the end (e.g., DPShare$).
This will hide the share from malware network scans.
Additionally, it is recommended to never mount any share as a drive on any workstation or server.
Hardware and Software Recommendations
Dalet Pyramid
- Dalet Pyramid - Operational Requirements for Customer's Dedicated Deployment
- Dalet Network Communication and Ports Used
- Java Components and Licensing Model used in Dalet Solutions
Dalet Flex
- Flex Cloud Requirements
- Dalet Flex Operational Requirements for Customer-Hosted Deployments
- Flex on-prem Deployment Requirements
- Dalet Network Communication and Ports Used
- Java Components and Licensing Model used in Dalet Solutions
- Dalet Flex 3rd Party Integration
- Dalet Flex: Vendor Plugins
Dalet AmberFin
- Dalet Amberfin Hardware and Operating System Requirements
- Dalet Network Communication and Ports Used
- Java Components and Licensing Model used in Dalet Solutions
Dalet Pyramid
- Dalet Pyramid - Operational Requirements for Customer's Dedicated Deployment
- Dalet Network Communication and Ports Used
- Java Components and Licensing Model used in Dalet Solutions
Dalet Galaxy
- Dalet Galaxy Network Requirements
- Dalet Galaxy Hardware and Software In-Depth Information
- Active Directory Installation and Configuration for Dalet Galaxy five
- Active Directory, Full Windows Authentication For Dalet Galaxy And MSSQL
- Windows updates procedure
- 3rd Party Vendors Matrix
- Dalet On the Go - Installation
- Dalet Network Communication and Ports Used
- Java Components and Licensing Model used in Dalet Solutions
- RCSI Settings SQL
Dalet Brio V3.26
- Dalet Brio V.26 Release Notes
- Dalet Network Communication and Ports Used
- Java Components and Licensing Model used in Dalet Solutions
DaletCubeNG
- Dalet CubeNG Installation Guide
- Dalet Solutions: Network Communication and Ports
- Java Components and Licensing Model used in Dalet Solutions
Dalet Cube Legacy
- Dalet Cube Installation Guide
- Dalet Solutions: Network Communication and Ports
- Java Components and Licensing Model used in Dalet Solutions
Legacy DaletPlus/Enterprise/Radio Suite
- Recommendations for Dalet Enterprise Edition 3.5
- Recommendations for Dalet Radio Suite HD and Dalet Galaxy Radio
Microsoft SQL
- Permissible MSSQL Versions per Dalet Version and Revision
- Dalet Network Communication and Ports Used
Windows Update Policies and Security Bulletins
All windows updates can be applied, except the major ones (Service Packs etc..). However in case issues are found on a server after an update, the first thing to test is to rollback the latest update(s) that could be the origin of the issue.
For a list of supported operating system consult the article Dalet Supported Operating Systems.
Please read Technical Bulletin - Possible impacts of Meltdown and Spectre patches for more information.
Please read Security Bulletin on CVE-2021-44228 Log4Shell and Remediation Instructions.
Please read: Dalet Security Bulletins.
Dalet IT policy for R&D platforms with Windows OSs - install all 'critical' and 'security' patches automatically, and periodically approve other updates.
Anti Virus and Malware Removal
Dalet does not recommend specific anti-virus brands or brand-specific configurations. Most corporate anti-virus solutions are client-server based, and depending on various system events, antivirus may block proper Dalet performance. Ensure that the anti-virus configuration is optimized to minimize network interruptions caused by anti-virus software. Disable the heuristic mode if it exists. Antivirus updates should be scheduled outside the normal hours of newsroom and control room operation. Check for spyware software regularly on all workstations and remove if exists. On Dalet local/remote storage unites, antivirus real time scanning must exclude the media file extensions used with Dalet. If users can drag and drop audio/images into the client, make sure the local antivirus client checks these files. Antivirus local scan should not include the Dalet BIN / DaletPlusData folders, in particular not the LOG folder/ media content folders.
Windows Malicious Software Removal Tool (MSRT) can be executed at any time.
For information on which files/folders to exclude, consult the dedicated Antivirus exceptions recommendations.
Comments
0 comments
Please sign in to leave a comment.