Every NAS is chock-full of important files. That applies to almost every NAS, no matter how different it is in performance and functionality. These files (such as photos, documents and backups) are often of great importance and should not be lost. That is why they have been put on the nose. What is often forgotten is that the NAS must be properly secured. Securing a NAS can be done in 14 steps.
Want to know more about NAS? In this article you can read what recently found the best nas, and on this page we collect all nas articles together.
Nas'en owe their popularity to the large storage space and the ease with which you can store and share the files centrally. A NAS (certainly equipped with several disks) quickly makes a professional impression ... such a device must be good and safe, right? But appearances can be deceiving: a NAS can be very safe and take good care of the stored files, but you have to do something for that. The NAS must first be properly set up and properly secured, and then the correct operation must be properly monitored. Otherwise, what appears to be the best place for all data can actually turn out to be a huge vulnerability… what's known in business as a "single point of failure."
Step-by-step
Synology, QNAP, Netgear, Asustor, Drobo and Western Digital: so many NAS brands and all with their own operating system. Those operating systems sometimes seem functional like two drops of water on each other, but to configure them they always work slightly differently. These differences make it impossible in this article to indicate exactly how a particular function should be turned off or on for each NAS operating system. That is why we will suffice with naming the important things for the security of a NAS. You will find all the necessary specific explanations online and in the NAS documentation.
01 Software and updates
An important part of every NAS is the software on the NAS. It consists of two or three parts: the operating system (also called firmware in this context), the official extensions and possibly also unofficial extensions. For the firmware, we recommend not to lag too far behind and preferably not too long after the release of a new version, to install it. You can even automate this by having the NAS itself check for updates and new firmware, and then have it installed. Another option is to download directly, but only install when you indicate this. Because you sometimes hear that new updates or new firmware cause problems, that is also a great option. However, don't wait too long, just like Windows, the operating systems nas devices sometimes contain errors that are removed with these updates. Preferably always use the download and installation function of the NAS, it also checks for the origin of the firmware and whether the download is undamaged. Read the release notes that come with a new firmware, which contain information about the new version and compatibility.
02 Extensions
Besides the firmware, there are two more types of software on the NAS, the official extensions and the unofficial extensions. The official extensions are in the app store of the NAS. These are standard offered by the nas manufacturer or partners, and go through a quality control before they are in the app store. Always update this as soon as possible and preferably automatically. If you also plan to install extensions from alternative sources, be aware that these have not been quality checked by the NAS manufacturer and that you are at greater risk. There are quite a few good unofficial extensions out there, but before updating them it is important to assess compatibility by reading the release notes and forum posts.
03 Users
A group of Users or Users is present on the NAS by default. Create a new account for all users of the NAS and make them a member of this default Users or Users group. Do not make regular users a member of the Administrators group. Depending on the nas you use, you can set additional options in addition to username and password, such as having to change the password when logging in for the first time. You can also grant or deny access to certain folders on the NAS, as well as grant certain functions such as being able to login to the desktop of the NAS, or use the ftp server, the File Station and the file explorer. Don't be too generous with permissions, you can always assign new ones later.
04 Regular user
Also create an account for yourself in the Users or Users group, and use that every time you use the NAS normally. Also use this account to make network connections to a folder on the NAS. Only log in as Administrator if you really need to adjust the configuration of the NAS. Depending on the brand of NAS, you can set additional options such as sending an email to the new user with the account details or require the user to change the password when logging in for the first time. For the password itself, you can set a password policy that sets minimum requirements for its length and complexity.
Get rid of the admin
Hackers also know that the administrator account of a NAS is called admin almost by default. They are already half way there. You can further improve security by disabling this account and creating another account that you use to customize the configuration of the NAS. Log in as admin and in the Administrators group create a new user with a strong password. Record the username and password in a password vault such as KeePass. Then log out as default admin and log in again with the new account. Check if you have admin rights and if so, open the section again Users, select the old admin account and disable it.
05 Less vulnerable
Most NAS devices offer a large number of other functions in addition to storage space. These can be standard functions such as ftp, but also services added later, such as a download function or a media player. An important step in the security of the NAS is to disable all functions that you do not use. In addition, it helps improve the performance of the NAS. A function that is not active uses no processor time, no memory and cannot be abused. Log in to the NAS and open the app store (Package Center, App Central or what the part is called on your nas that allows you to add extra functions to the nas). Here you can see the installed extensions. Remove the extensions you don't use or if you are in doubt, disable them for a while first. Also check the part Configuration on common features that you could disable. Be more alert here, unlike the installed extensions, these standard components affect the operation of the NAS faster.
06 Prevent burglary
To prevent someone from forcing access to the NAS by endlessly guessing the password, you can block accounts and/or IP addresses that make too many incorrect login attempts. The exact operation differs per brand of NAS. At Synology it's called Auto Block and applies to a variety of Synology components such as accessing the NAS, as well as various communication protocols such as ssh, telnet, and ftp, as well as trying to access components such as File Station, Photo Station, and many more. more. QNAP's network access security offers the same, but with the ability to enable it on a per protocol basis. These functions work by IP address. If you want to block user accounts with too many incorrect login attempts, choose Account Security. You can choose to lift a block after a few days.
07 Mandatory https
By default, you manage the NAS via the browser. You then log in to the web interface of the NAS via http. However, communication via http is not encrypted and so can easily be eavesdropped, as are the administrator account and password. You can prevent this by redirecting the NAS every time unsecured contact is made with the web interface to the encrypted https. That's safer and, by letting the NAS handle it automatically, just as easy. Because the nas does not have a real ssl certificate, but uses a homemade one, for example Chrome and Firefox give an error, but you can add the url of the nas as an exception. The connection is secured, but the identity of the NAS is not proven via the certificate (which does not matter at all within your own home network).