
Benjamin KAHANE
- Updated
Recommendations for Dalet Solutions
The information provided in this document contains proprietary and confidential information that is the property of Dalet.
Distribution of any information contained in this document to third parties including, but not limited to contractors, system integrators, and other vendors is strictly prohibited without prior written consent of Dalet.
Product specifications and availability are subject to change without notice. Dalet is a registered trademark owned by Dalet. All other brands and trademarks are those of their respective owners.
To ensure optimal performance, the Galaxy system requires certain media file types to be excluded from real-time antivirus scans. Such scans can introduce latency or cause access failures in some cases. The specific file extensions to be excluded may vary depending on the customer's workflow and the video formats they use.
Commonly recommended media file extensions for exclusion include: MXF, MOV, M2V, MPD, M4A, M4V, M4S, WAV, MP4, MP2, MP3, M3U8, IDX, VOL, TCD, IXF, ITI, TGA, PNG, EDL, SRT, and HEP.
Additionally, for each of these extensions, a parallel extension with the suffix "WREC" should also be excluded (e.g., MXFWREC for MXF). This additional extension is used during "While Operations."
Dalet does not have specific requirements for antivirus and SQL Server configurations. Instead, we recommend following the guidelines provided by Microsoft, which can be found at the following link: Configure antivirus software to work with SQL Server - SQL Server.
Here is an example of PowerShell code to apply the recommended file extension exclusions in
Windows Defender:
# List of file extensions to exclude
$fileExtensions = @("*.mxf", "*.mov", "*.m2v", "*.mpd", "*.m4a", "*.m4v", "*.m4s", "*.wav", "*.mp4", "*.mp2", "*.mp3", "*.m3u8", "*.idx", "*.vol", "*.tcd", "*.ixf", "*.iti", "*.tga", "*.png", "*.edl", "*.srt", "*.hep")
# Add each extension to Windows Defender exclusion list
foreach ($extension in $fileExtensions) {
Add-MpPreference -ExclusionExtension $extension
}
# Add corresponding WREC extensions
foreach ($extension in $fileExtensions) {
$wrecExtension = $extension.Replace("*.", "*wrec")
Add-MpPreference -ExclusionExtension $wrecExtension
}
For any third-party solutions integrated with Galaxy, the same recommendations apply (unless stated otherwise by the vendor). Please consult the vendor to determine the required media file extensions that should be excluded.
Dalet AmberFin
Antivirus exceptions recommendations for Dalet Amberfin.
Dalet AmberFin Hardware and Operating System Requirements.
The Dalet Brio Video appliance comes pre-configured and hardened, using Windows Defender as its antivirus solution. By default, Brio software executable files are excluded from scanning. However, this exclusion can be removed, and the provided script for file extensions can be deployed on the Brio server as an alternative.
Since Brio is a Video Server Appliance, it should be treated as such and should not be connected to any endpoint management system. Updates to its Windows Defender should be managed via Windows Update (process discussed in a different section). In the event of a 0-day vulnerability, the security intelligence update can be manually downloaded and deployed from the following link:
Latest security intelligence updates for Microsoft Defender Antivirus and other Microsoft antimalware - Microsoft Security Intelligence.
As Dalet products are being used in sensitive real time environments, Dalet does not recommend deploying Windows updates automatically/unattended.
Windows update deployment should be scheduled and agreed upon with the Dalet administration team on-site.
In addition to 0-day security updates (that should be deployed asap), Microsoft releases its updates every second Tuesday of the month (commonly known as Patch Tuesday). Dalet recommends waiting at least an additional week before deploying these updates, making it the third Tuesday of the month.
The customer’s IT team should inform the Dalet administration team when such updates are applied to ensure proper follow-ups and address any issues that may arise from the updates.
For Brio Video Server appliances, the above recommendations still apply. However, all updates (including 0-day security updates) should be performed using a command line updating tool called “WUP.” After regular Windows updates (Patch Tuesdays), WUP should be launched again after a reboot to ensure no further updates are needed.
Please obtain the latest WUP script from Dalet Support.
Running Windows Update independently on Brio Appliances might result in failure or damage to the Brio operating system.
To minimize the Brio Server external footprint, Configure Windows Firewall with the followings:
Brio Appliance Service | REST | TCP | gRPC |
Dalet Brio Amazon S3 copier | 9081 | ||
Dalet Brio Anywhere Copier | 9082 | ||
Dalet Brio Avid copier | 9083 | ||
Dalet Brio Database Server | 9120 | ||
Dalet Brio FTP copier | 9084 | ||
Dalet Brio Router Controller | 9111 | ||
Dalet Brio VTR Controller | 9170 | ||
Dalet Brio Backup Copier | 9080 | ||
Dalet Brio NMOS | 9300 | ||
Dalet Brio NMOS Connection management | 9302 | ||
Dalet Brio NMOS Registration | 9301 | ||
Dalet Brio Aspect Ratio Changer | 8080 | ||
Dalet Brio Extractor A..H | 9031..9038 | ||
Dalet Brio Mover A..H | 9041..9048 | ||
Dalet Brio RTP Mosaic Server | 9101 | ||
Dalet Brio RTP Gateway | 9102 | ||
Dalet Brio Streaming Server Player A..H | 8080..8087 | ||
Dalet Brio Streaming Server Recorder A..H | 8090..8097 | ||
Dalet Brio VDCP A..H | 10521..10528 | ||
Dalet Brio VDCP Gateway | 10500 | ||
Dalet Brio FTP Server | 21 | ||
Dalet Brio Portal | 9200 | ||
Dalet Brio Player API | 9160 | ||
Dalet Brio File System API | 9150 | ||
Dalet Brio Logs Collector | 9180 | 9009 | |
Dalet Brio Socket logging server | 11111-11153 | ||
Dalet Brio Sentinel Service | 9010 | ||
Dalet Brio Manager | 9100 | ||
Dalet Brio Player A..H | 9011..9018 | ||
Dalet Brio Recorder A..H | 9021..9028 | ||
Dalet Brio FIMS Capture Service | 9000 | ||
Dalet Brio FIMS Transfer Service | 9001 | ||
Dalet Brio Ingest Scheduler | 9140 | ||
Dalet Brio Streaming Monitor | 8433 | ||
SMB Protocol (File and Printer Sharing) | 445 | ||
SMB Protocol (SMB Over NetBios) | 139 |
The Brio V:\ drive share name should include a $ at the end (e.g., media$). This will hide the share from malware network scans. Additionally, it is recommended to never mount the Brio share as a drive on any workstation or server.
While Dalet recommends using SMB as the default protocol for file transfers to and from the Brio Video Server Appliance, you can disable SMB entirely and use the Brio FTP Server instead.
(Note: SMB 1.0 is disabled by default on the Brio Video Server Appliance.)
Brio Video Server Appliance is based on Windows Server Technology,
Windows Server hidden administrative shares are automatically created to allow administrators, programs, and services to access and manage resources. However, these administrative shares can pose a security vulnerability and could be disabled.
Disabling Administrative Shares can be done via mdoifying the registry HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\AutoShareWks to 0
(Disabling Administrative Shares does not disable the IPC$ Share, Although this share is not used to access files directly, Ensure that Anonymous access to this share is disabled, Alternatively, You can remove the IPC$ share completely by deleting it via net share IPC$ /delete)
For customers who do not run production servers on a Broadcast Data Network separate from the rest of the network (users), an additional layer of protection can be achieved. This can be done by limiting traffic to and from the Brio Video Server appliances to specific hosts (such as IngestManager and Broadcast Servers) using Windows Firewall or network switches.
Brio/Galaxy Operating Protocol
For Galaxy Version 376 and above, Brio MediaAgents and Brio Servers should be moved to GRPC operations. If this is not possible, DCOM Authentication Level should be configured to Packet Integrity. Brio Servers must also be configured to this same level.
Windows Data Execution Prevention (DEP) must be disabled on Galaxy servers. If this poses an issue for the customer, it should be configured to the minimal possible setting for essential Windows programs and services. There is no need to disable DEP on the client side.
For customers using Windows 2016 and later, it is no longer necessary to disable the Base Filtering Engine or Windows Firewall. Instead, customers should ensure that the Windows Firewall (or any other firewall) has the appropriate ports opened.
The Dalet Service User should have access to all domain resources that the agent needs, and it must have local admin rights on the machine it runs from. This user account, used to run the Dalet Service, should not be used for daily activities by any individual. It is recommended to deny local logon for this account.
To avoid the need for periodic password changes, which might require a restart of the agents or site downtime, customers can explore using Managed Service Accounts (MSA), Group Managed Service Accounts (gMSA), or standalone Managed Service Accounts (sMSA).
The Galaxy LSU share names should include a $ at the end (e.g., DPShare$).
This will hide the share from malware network scans.
Additionally, it is recommended to never mount any share as a drive on any workstation or server.
Comments
0 comments
Please sign in to leave a comment.