Information concerning UAC, TOE, JAVA Varialbles, Offline Files, Desktop Experience, Security Policies: Windows 2008 R2, Windows 7, Windows 8.1, Windows 10 and Windows 2012
Disclaimer
Please note that in the versioning history of this article below, you can access information relevant to earlier Dalet software/Windows generations and their requirements. The active/future versions of this article will refer only to the current state of affairs.
The content below concentrates on particular modifications introduced in Windows versions following Windows XP. General software settings are listed in the Recommendations document.
Integrating Dalet Galaxy with Windows 2008 R2, Windows 7, Windows 8.1, Windows 10, Windows 2012 and Windows Server 2016
Link to Dalet minimum AD user requirements table Full_Windows_Authentication_for_Dalet
This document describes the additional configuration required on the above mentioned Windows versions, to assure proper operation of Dalet applications.
The actions described in this white paper should be performed prior to the Dalet software installation.
DEP
Data Execution Prevention (DEP) is a security feature included in current Microsoft Windows operating systems that is intended to prevent an application or service from executing code from a non-executable memory region.
On Windows servers the DEP has to be set to Data Execution Prevention for essential Windows Programs and Services Only. To access this setting, right-click on "My Computer", select "Properties". On the Properties Window, click "Advanced". Click on the Data Execution Prevention tab. Setting it to “All Programs” can lead to software crashes and other problems.
For Dalet Brio, DEP must be enabled, this can be done via command-line (with elevated rights):
bcdedit.exe /set {current} nx AlwaysOn
This command will enable it, as the GUI setting, to Windows services only.
Installing the Desktop Experience Feature (Windows Server OSs)
Since Microsoft has released Windows Server 2008, it has moved most of the common Windows features services (like Windows Media & DirectX Support) into the Desktop Experience feature, which can be added on top of the basic Windows Server 2008/2012 installation. Otherwise these features are disabled.
In order that Dalet will be able to run, the desktop experience feature should be enabled on the server:
1. Open the Administrative Tools page and then double-click the icon of the Server Manager.2. In the server manager, Click Add Features under Features Summary.3. In the Add Features Wizard dialog box, ensure that the Desktop Experience is selected.4. Click Next, and then click Install.5. After the installation is complete, click Close, and then close Server Manager.
Alternatively, use the command line “ServerManagerCmd –install Desktop-Experience”
Additional Actions performed by Software tools
The previous tools SetServer/SetClient have been retired by the ZET Powershell tool. please refer to the ZET powershell tool article.
Disable or Moditfy User Account Control (UAC)
User Account Control (UAC) is a new technology and security infrastructure introduced on Windows Servers family with Windows Server 2008 and Windows 7 and up.It aims at improving the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes and increases/elevates the privileges.
By default Dalet servers require Administrator privileges on the running machine. At the simplest level, this requires turning off the UAC.
Click Start, and then click Control Panel
In Control Panel, click User Accounts. You can also click the User’s Image in the Start Menu
Click on Change User Account Control settings and in the properties window pull the slider all the way down.
If UAC does not show any possibility to be switched off you can do the following per setting of local policy on each server: Run all administrators in Admin Approval Mode policy setting turns UAC off. When UAC is turned off, files and folders are no longer virtualized to per-user locations for applications that are not UAC compliant, and all local administrators are automatically logged on with a full administrative access token.
If UAC cannot be disabled due to Customer’s Security Policy
**Radio Suite HD**: In order to make it work the machine must have Dalet agent “channel detector” running and in the computer management console under Security Settings> Local Policies> Users, make sure that for the policy CreateGlobalObject all Groups on this machine are assigned.
Dalet 3.5 and up:
Described here are the minimal settings required so that Dalet can run normally under UAC restrictions.
Changing these settings obviously requires administrator access.
These are the settings:
In the Local Group Policy Editor (start it by running 'gpedit.msc'), go to Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment, and change the following settings:
To 'Create global objects' add the local 'Users' group (it should include the 'Domain Users' group).
To 'Increase a process working set' also add the local 'Users' group.
Same settings apply in Domain scenarios, the difference being that instead of using the Local Group Policy Editor and Regedit, the domain administrator usually performs the settings by changing the computer group's or OU's GPO.
Windows 10
Concerning Windows 10 and Windows 2012/Windows 2016, you need to run Dalet applications "As Administrator". To run without this specific option, and to be able to drag and drop media into a Dalet Galaxy client (Windows showing a drop-forbidden icon), you have to add the current user as a local administrator in the server manager app., and in the Local Security Policy app>Local Policies>Security Options: User Account Control: Run all administarors in Admin Approval... to "Disabled"
Disabling The Windows Firewall
Dalet requires running the Dalet servers without firewalls. To disable the firewall on, perform the following operations:
1. Click Start, click Control Panel, click Network and Internet and then under Windows Firewall, click Turn Windows Firewall on or off.2. On the General tab of Windows Firewall Settings dialog box, select Off and then click OK.Or via the command line “netsh advfirewall set AllProfiles state off”
If the customer insists on using Windows firewall, Dalet applications are using TCP Ports in the range of 7900 to 9000 and should be left open.
This can be done via the firewall GUI or via command line with:
for /L %i in (7900,1,9000) do netsh firewall add portopening TCP %i "Dalet Port %i"
An in-depth list of Ports used in Dalet is linked here.
Disabling Offline Files
Using the Synch Center’s feature to enable offline files, can lead to access problems to files associated with titles. In the relevant Dalet logs, you may find the error: \\xxx.xxx.xxx.xxx\dalet\storage\SPLIT_Audio_12\000c5e0f.wav (The specified network name is no longer available.
That can be resolved by disabling offline files, from within the Synch Center (Control Panel\All Control Panel Items\Sync Center), Manage offline files.
Restart the computer once this setting has been modified.
Creating ODBC Data Source
For Dalet applications that are due to the revision 32-bit based applications, 32-bit applications will only see ODBC connections created in the 32-bit side (while 64-bits applications will only see ODBC connections from the 64-bit side). Each kind of application has its own registry. To setup DSN for 32-bit application you must manually launch from command line:
%WINDIR%\SysWOW64\odbcad32.exe
After the ODBC Data Source Administrator screen appear, continue defining your source as usual.
64-bit Dalet Galaxy uses the native ODBC wizard (Control Panel>Administrative Tools>ODBC)
Updating JAVA Path Variables
Updating Java path variables is not necessary, for all Dalet versions using the Dalet Automatic Installer (DIS) from rev. 129351 and up. DIS provides JAVA for Dalet (Java 1.7.13), hosted in …/bin/jre, never mind if you have Java installed on a machine or its Java version. All Dalet components know (according to the Daletsoftware.xml) whether to use the 32big or 64bit jre.
Creating ODBC Data Source
For Dalet applications that are due to the revision 32-bit based applications, 32-bit applications will only see ODBC connections created in the 32-bit side (while 64-bits applications will only see ODBC connections from the 64-bit side). Each kind of application has its own registry. To setup DSN for 32-bit application you must manually launch from command line:
%WINDIR%\SysWOW64\odbcad32.exe
After the ODBC Data Source Administrator screen appear, continue defining your source as usual.
64-bit Dalet Galaxy uses the native ODBC wizard (Windows/system32/odbcad.exe/Control Panel>Administrative Tools>ODBC)
Updating JAVA Path Variables
Updating Java path variables is not necessary, for all Dalet versions using the Dalet Automatic Installer (DIS) from rev. 129351 and up. DIS provides JAVA for Dalet (Java 1.7.13), hosted in …/bin/jre, never mind if you have Java installed on a machine or its Java version. All Dalet components know (according to the Daletsoftware.xml) whether to use the 32big or 64bit jre.
Disabling TOE capabilities of WindowsServer OSs
Windows Server OSs's TOE (TCP Offload Engine) capabilities should be disabled (without any connection to which NIC you are using), this can be done via CLI and modifying registries keys.
Via CLI, Perform the following commands:
netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
netsh int tcp set global netdma=disabled.
And then Add/Modify the following at HKLM\System\CurrentControlSet\Services\TCPIP\Parameters:
EnableRSS with DWORD value of 0
DisableTaskOffLoad with DWORD value of 1
EnableTCPA with DWORD value of 0
The above registry setting modification can be achieved via CLI:
Reg add hklmsystemcurrentcontrolsetservicestcpipparameters /v EnableRSS /t REG_DWORD /d 0
Reg add hklmsystemcurrentcontrolsetservicestcpipparameters /v DisableTaskOffLoad /t REG_DWORD /d 1
Reg add hklmsystemcurrentcontrolsetservicestcpipparameters /v EnableTCPA /t REG_DWORD /d 0
Comments
0 comments
Please sign in to leave a comment.