NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Gonadman2's avatar
Gonadman2
Aspirant
Feb 28, 2018

Disable Admin access to share

My company has just purchased and installed one of these units to serve as a backup location for ShadowProtect. Our IT service provider have informed us that their policy is: "to configure onsite bac...
Installation & Upgrade
mdgm-ntgr's avatar
mdgm-ntgr
NETGEAR Employee Retired
Feb 28, 2018

The admin account/group should only be used for administrative purposes, so it has full access

 

In any case any admin could still go into the web admin interface and change any settings even if their permissions for accessing shares were restricted so there's not much point to doing so.

Gonadman2's avatar
Gonadman2
Aspirant
Mar 01, 2018

You are correct - but any user that is assigned administrative priveleges automatically gains access to the share. Locking the share down to a single user is a smart thing to do. 

 

So again, is there any way to remove the admin group from share access? It wasn't an issue with our previous QNAP device.

  • Sandshark's avatar
    Sandshark
    Sensei - Experienced User
    Mar 02, 2018

    What are you trying to prevent?  As long as the admin account is only ever used via HTTPS for administering the NAS, I don't see where there is much risk.

    • Gonadman2's avatar
      Gonadman2
      Aspirant
      Mar 02, 2018

      As this unit is managed by multiple users, there is the possibility that someone can create a new user under the administrator group, then use those newly created credentials to access the share on the network. If their local PC becomes compromised (crypto or other malicious attack), then they have direct access to the backup shares. If it were possible to remove the administrator group from having network access to the share this scenario could never be allowed to happen. 

       

      Obviously we can 'manage' this situation through administrative control, but I'd prefer to lock our backups down to a single user and prevent anything like this from ever happening.

      • StephenB's avatar
        StephenB
        Guru - Experienced User
        Mar 02, 2018
        Gonadman2 wrote:

        As this unit is managed by multiple users, there is the possibility that someone can create a new user under the administrator group, then use those newly created credentials to access the share on the network.

        I understand why you want this, but anyone who could do that already can get full access to the entire NAS data volume without creating that new user.  For instance, they can

        • mount the full data volume with SMB using admin credentials
        • just change the network access and file access settings on the share, via the NAS admin UI
        • create a backup job to copy the share somewhere else
        • enable ssh, and give themselves root access
        • ...

         

        The only way to really accomplish your goal is to also create specific controls on what each admin can/can't do - which would be a good feature for the NAS, but isn't there right now.

         

        FWIW, it is possible to go in with ssh and modify the ACL for the share (or perhaps specific subfolders in the share - which might be stickier).  Though it doesn't really prevent the threat, for the reasons noted above.

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More