Grass Valley NAS Security User Manual

Number: 510057.001

The Quality System of:

Thomson Broadcast & Media Solutions

TBMS TBMS
400 Providence Mine Road 17 rue du Petit Albi-BP 8244
Nevada City, CA 95945 95801 Cergy Pontoise
Cergy, France
TBMS
Weiterstadt, Germany TBMS
Brunnenweg 9 10 Presidential Way, 3rd Floor, Suite 300
D-64331 Weiterstadt, Germany Woburn, MA 08101

TBMS TBMS
15655 SW Greystone Ct. 2300 South Decker Lake Blvd.
Beaverton, OR 97006 Salt Lake City, UT 84119

TBMS TBMS - PCB
Nederland B.V. Rennes, France
4800 RP BREDA Rue du Clos Courtel
The Nederlands Cesson-Sevigne, Cedex
France

TBMS/Nextream TBMS/Nextream
Rennes, France Technopole Brest Iroise
Rue du Clos Courtel CS 73808
Cesson-Sevigne, Cedex 29238 Brest Cedex 3
France France

Including its implementation, meets the requirements of the standard:

ISO 9001:2000

Scope: The design, manufacture and support of video hardware and software products
and related systems.

This Certificate is valid until: June 14, 2006
Revision Date: September 9, 2003
Renewal Date: June 14, 2003
Issued for the first time: June 14, 2000

Copyright

Copyright © 2005 Thomson Broadcast and Media Solutions, Inc. All rights
reserved. Printed in the United States of America.

This document may not be copied in whole or in part, or otherwise reproduced
except as specifically permitted under U.S. copyright law, without the prior written
consent of Thomson Broadcast and Media Solutions, Inc., P.O. Box 59900,
Nevada City, California 95959-7900

Trademarks

Disclaimer

U.S. Government
Restricted Rights
Legend

Revision Status

FeedClip, Grass Valley, NewsEdit, NewsQ, and Profile are either registered
trademarks or trademarks of Thomson Broadcast and Media Solutions, Inc. in the
United States and/or other countries. Other trademarks used in this document are
either registered trademarks or trademarks of the manufacturers or vendors of the
associated products. Thomson Broadcast and Media Solutions, Inc. products are
covered by U.S. and foreign patents, issued and pending. Additional information
regarding Thomson Broadcast and Media Solution, Inc.’s trademarks and other
proprietary rights may be found at www.thomsongrassvalleygroup.com.

Product options and specifications subject to change without notice. The
information in this manual is furnished for informational use only, is subject to
change without notice, and should not be construed as a commitment by Thomson
Broadcast and Media Solutions, Inc. Thomson Broadcast and Media Solutions,
Inc. assumes no responsibility or liability for any errors or inaccuracies that may
appear in this publication.

Use, duplication, or disclosure by the United States Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data
and Computer Software clause at DFARS 252.277-7013 or in subparagraph c(1)
and (2) of the Commercial Computer Software Restricted Rights clause at FAR

52.227-19, as applicable. Manufacturer is Thomson Broadcast and Media
Solutions, Inc., P.O. Box 59900, Nevada City, California 95959-7900 U.S.A.

Rev Date Description

March 31, 2005 Release for Software Version 5.1A to 071-8396-00

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Step 1 Designing a Security Schema

Sample Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

NewsShare System Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . 11

Permissions and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Step 2 Setting Up a Domain Controller

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing Windows 2000 Server Software . . . . . . . . . . . . . . . . . . . . . . 16

Adding the Domain Controller to Your Network . . . . . . . . . . . . . . . . . . 16

Adding the New Machine to the Parent Domain. . . . . . . . . . . . . . . . . . 18

Configuring the Domain Controller with Active Directory . . . . . . . . . . . 19

Configuring a New Domain Tree With Integrated DNS . . . . . . . . . . 19

Configuring a Child Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring DNS With Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Assigning Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Step 3 Discontinuing NAS Service

Step 4 Joining Machines to the New Domain

For Each DNP Workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

For the NAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Step 5 Adding Security to the NAS Server

Step 6 Turning the System Back On

Step 7 Setting Security Permissions

Setting NewsEdit Root Level Permissions . . . . . . . . . . . . . . . . . . . . . . 46

Setting NewsEdit Bin Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Step 8 Testing

NewsEdit system operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

SmartBins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Appendix Removing Security from the NAS Server

Digital News Production

3

Contents

4

Digital News Production

Grass Valley Product Support

To get technical assistance, check on the status of problems, or report new
problems, contact Grass Valley Product Support via e-mail, the Web, or by
phone or fax.

Web Technical Support

To access support information on the Web, visit the product support Web page
on the Grass Valley Web site. You can download software or find solutions to
problems by searching our Frequently Asked Questions (FAQ) database.

Grass Valley Product Support

World Wide Web:
Technical Support E-mail Address:

http://www.thomsongrassvalley.com/support/

gvgtechsupport@thomson.net.

Phone Support

Use the following information to contact product support by phone during
business hours. Afterhours phone support is available for warranty and contract
customers.

United States (800) 547-8949 (Toll Free) France +33 (1) 34 20 77 77

Latin America (800) 547-8949 (Toll Free) Germany +49 6155 870 606

Eastern Europe +49 6155 870 606 Greece +33 (1) 34 20 77 77

Southern Europe +33 (1) 34 20 77 77 Hong Kong +852 2531 3058

Middle East +33 (1) 34 20 77 77 Italy +39 06 8720351

Australia +61 1300 721 495 Netherlands +31 35 6238421

Belgium +32 2 3349031 Poland +49 6155 870 606

Brazil +55 11 5509 3440 Russia +49 6155 870 606

Canada (800) 547-8949 (Toll Free) Singapore +656379 1390

China +86 106615 9450 Spain + 34 91 512 03 50

Denmark +45 45968800 Sweden +46 87680705

Dubai + 971 4 299 64 40 Switzerland +41 (1) 487 80 02

Finland +35 9 68284600 UK +44 870 903 2022

Digital News Production

5

Preface

Authorized Support Representative

Profile Users Group

A local authorized support representative may be available in your country. To
locate the support representative for your country, visit the product support
Web page on the Grass Valley Web site.

You can connect with other Profile XP Media Platform users to ask questions
or share advice, tips, and hints. Send e-mail to profile-users@thomson.net to
join the community and benefit from the experience of others.

6

Digital News Production

Introduction

With NAS security, you can control the visibility and access for users and
groups within NewsEdit bins by associating the bins and assets with file system
permissions. NAS security uses the overlapping modes of exclusivity,
propagation of granted permissions, and group membership to establish file
system security. These principals apply:

• Selective access—You create groups of users, such as Editors or Producers,
and set permissions for each group.

• Partial control—You control access to branches of the Bin tree for users and
groups.

• Administrative control—The Administrator has exclusive access to a tool in
the top-level bin that allows the setting of permissions in the top-level bins.

Steps 1-2 can be completed at any time in preparation for NAS Security. Steps
3-8 must be done with the NewsShare system off line, during a maintenance
window.

To use NAS security in your newsroom, follow these steps:

Step: Description Refer to...

1 Design a security schema Page 9

2 Create and configure a Domain Controller Page 13

3 Discontinue NAS Service and disconnect DNP workstations

from the drive mapped to the NAS Server

4 Join computers to the new domain Page 33

5 Add security to the NAS Server Page 37

6 Map DNP workstations to the secure network drive on the NAS

Server

7 Set permissions for the shared volume Page 45

8 Test to make sure that security is working Page 49

The rest of this manual discusses each of these steps in detail.

Digital News Production

Page 31

Page 43

7

8

Digital News Production

1

Step

Designing a Security Schema

The first step in setting up security in your NAS system is to determine a schema
for permissions. The schema determines which groups you create, and which
permissions you give each group.

Thomson Grass Valley has created a typical schema for use in illustrating
security principles in this document. You may use this schema if it is
appropriate for your newsroom, or create your own. For the examples in this
manual, we’ll assume that the newsroom has five groups: Editors, Producers,
Archivists, Ingestors, and Viewers.

The NAS security principles are agnostic to these groups, though the use of
groups greatly simplifies the establishment of the security schema. We picked
these names as exemplary; you do not need to use them in your operation. You
can have as many or as few groups as you like, named however you wish. If
your domain has a tree hierarchy, you may assign permissions to global groups
as well.

It’s important to establish a simple, consistent group structure. As with any
large, shared file system, permissions are best applied for groups, not users.
Individual user rights are then determined by administering group membership.

The core of Thomson Grass Valley’s Serial ATA NAS product is a highly
customized and tuned Linux-based Samba server. This knowledge will help you
as you work with the security features which derive more from Samba than
Windows. There are some particular differences to note. The Windows features
of inheritance and denial are not identically supported or defined in Samba;
these functions are effected, respectively, by the limited, automatic propagation
upon setting of allowed permissions to descendants in the file tree, and by the
strict use of the Allow control as the inverse of Deny. There is no explicit Delete
permission; this is bound to the Write permission.

The discussion in this chapter pertains to planning groups, users, and
permissions. The actual creation of domain entities and setting of permissions
are done in Step 7.

Digital News Production

9

Step 1 Designing a Security Schema

Sample Security Schema

The following table lists the groups and permissions being used as an example
in this document:

News Group Bin Permissions

Domain Administrator All Full control

News Admins All Full control

Editors Monday-Sunday Read/Write

Feeds Read only

HFR Read/Write

Archive Read/Write

Producers Monday-Sunday Read/Write

Feeds Read only

HFR Full control

10

Archive Read/Write

Archivists Monday-Sunday Read only

Feeds Read/Write

HFR Read only

Archive Full control

Ingestors Monday-Sunday Read only

Feeds Full control

HFR None (permission denied)

Archive Read/Write

Viewers Monday-Sunday Read only

Feeds Read only

HFR Read only

Archive Read only

Digital News Production

NewsShare System Users and Groups

***** Contact Grass Valley
Support for password.

*****

NewsShare System Users and Groups

At a minimum, you need to create a user-group set for use by certain
components of the NewsShare system:

Group User Members Password

Vibrint Services VibrintService

Permissions and Groups

In addition to the groups you’ll create for your newsroom, you need to set
permissions for two built-in groups—Domain Admins and Everyone. Based on
our security schema, the following table illustrates how groups and permissions
are set for the various NewsEdit folders and bins:

Domain Admins

Everyone

Archivists

Editors

Ingestors

Producers

Viewers

News Admins

Use
NewsEdit
Tools | Set
Root
Permissions

Use Bin
Security
Properties

V:\VibrintAVFiles

Monday-Sunday
Bins

Feeds Bin

HFR Bin

Archive Bin

F

= Full Control

L

= List Folder Contents

R

= Read

= Write

W

FL RL RL RL RL R L R F

F R W R W L R

FWRWRL R

FRW WL R

F WWWWL R

Digital News Production

11

Step 1 Designing a Security Schema

12

Digital News Production

2

Step

Setting Up a Domain Controller

A Domain Controller is a separate machine running Windows 2000 Server
software and configured with Active Directory. If purchased from Thomson
Grass Valley, an XRE is used. If the sole responsibility of the machine is to act
as a domain controller, SMG- or customer-furnished equipment may be used,
provided that it meets the specifications necessary to host Windows 2000
Server.

In general, you need to follow these guidelines for the Domain Controller:

• The Domain Controller cannot be an FSM nor a DSM.

• A separate Domain Controller and related domain node should be allocated
to the technical LAN subnet. This Domain Controller should also have
sufficient access to all related LANs to establish trusts and provide
authentication services.

• An XRE can be used to host another NewsEdit product, SmartBins.

• The domain controller may be remote to the NAS, but needs high availability
and direct configurability by your newsroom engineering department.

• Consistent with the Windows domain model, the domain controller may also
use a backup within the NAS subnet.

• You can either create a Domain Controller as a new domain tree or as a child
domain to an existing Domain Controller on your network.

• For normal newsroom operation, if the domain controller is a member of a
forest or tree, the Domain Controller can be subordinate: trusting but not
trusted.

The configuration of Microsoft Windows domains with Active Directory is a
broad and deep topic that is documented extensively by a variety of resources,
including Microsoft’s website. Each news organization has different
infrastructure and policies regarding the configuration of domains. What
NewsShare NAS security requires is an Active Directory zone with at least one
dedicated Windows 2000 Server domain controller; there are several ways to
achieve this, and the choice appropriate for your organization depends on your
organization’s culture, infrastructure, and IT policies.

Digital News Production

13

Step 2 Setting Up a Domain Controller

In planning, you need to determine the relationship of the new domain to its
tree; whether it will use integrated, delegated, or standalone DNS; and whether
the domain controller’s mode will be mixed, in order to interoperate with pre­Windows 2000 domain controllers, or native, allowing advanced features,
particularly greater opportunity in configuring user groups. The recommended
configuration to effect the most flexible control of the technical domain is to
run integrated DNS on a native-mode domain controller.

This guide details two of the many ways to set up a domain controller with
Active Directory:

• First node in a domain tree, integrated DNS, (mixed-mode) permissions
compatible with pre-Windows 2000 servers.

• Child node in an existing domain tree, (integrated) DNS in the parent,
(native-mode) permissions compatible with Windows 2000 servers and
higher.

As an adjunct step, depending on the trust relationship between the domain
controllers for NewsShare and those of the larger organization, the use of a
standalone DNS with forwarding may be necessary to achieve a highly isolated
domain. This configuration step is detailed as well.

14

Digital News Production

Overview

To create a Domain Controller, follow these steps:

Install Windows 2000 Server software page 16

Add the Domain Controller to the network page 16

Overview

What to do Refer to...

Add the new machine to the parent domain (if creating a child
domain)

Configure Active Directory page 19

Create new groups page 24

Create users as necessary page 26

Assign users to the new groups page 28

page 18

Digital News Production

15

Step 2 Setting Up a Domain Controller

Installing Windows 2000 Server Software

Install the Windows 2000 Server software following the network configuration
for your news station.

See the

2000 Server Online Help

Microsoft Windows 2000 Security Configuration Guide

for more information.

or the

Windows

Adding the Domain Controller to Your Network

You need to add the new Domain Controller to your existing network:

1. Right-click on My Network Places and select
The Network and Dial-up Connections window opens.

2. Right-click on the Ethernet Adapter icon and select

3. Select

4. Click

Internet Protocol

Advanced

The Advanced TCP/IP Settings window opens:

.

and click

Properties

Properties

.

.

Properties

.

16

Digital News Production