NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Disable Admin access to share
My company has just purchased and installed one of these units to serve as a backup location for ShadowProtect. Our IT service provider have informed us that their policy is: "to configure onsite bac...
You are correct - but any user that is assigned administrative priveleges automatically gains access to the share. Locking the share down to a single user is a smart thing to do.
So again, is there any way to remove the admin group from share access? It wasn't an issue with our previous QNAP device.
What are you trying to prevent? As long as the admin account is only ever used via HTTPS for administering the NAS, I don't see where there is much risk.
As this unit is managed by multiple users, there is the possibility that someone can create a new user under the administrator group, then use those newly created credentials to access the share on the network. If their local PC becomes compromised (crypto or other malicious attack), then they have direct access to the backup shares. If it were possible to remove the administrator group from having network access to the share this scenario could never be allowed to happen.
Obviously we can 'manage' this situation through administrative control, but I'd prefer to lock our backups down to a single user and prevent anything like this from ever happening.
Gonadman2 wrote:
As this unit is managed by multiple users, there is the possibility that someone can create a new user under the administrator group, then use those newly created credentials to access the share on the network.
I understand why you want this, but anyone who could do that already can get full access to the entire NAS data volume without creating that new user. For instance, they can
- mount the full data volume with SMB using admin credentials
- just change the network access and file access settings on the share, via the NAS admin UI
- create a backup job to copy the share somewhere else
- enable ssh, and give themselves root access
- ...
The only way to really accomplish your goal is to also create specific controls on what each admin can/can't do - which would be a good feature for the NAS, but isn't there right now.
FWIW, it is possible to go in with ssh and modify the ACL for the share (or perhaps specific subfolders in the share - which might be stickier). Though it doesn't really prevent the threat, for the reasons noted above.
Gonadman2wrote:As this unit is managed by multiple users, there is the possibility that someone can create a new user under the administrator group, then use those newly created credentials to access the share on the network. If their local PC becomes compromised (crypto or other malicious attack), then they have direct access to the backup shares. If it were possible to remove the administrator group from having network access to the share this scenario could never be allowed to happen.
Obviously we can 'manage' this situation through administrative control, but I'd prefer to lock our backups down to a single user and prevent anything like this from ever happening.
So, you think that someone who would intentionally create an account in the admin group would stop at not also giving that account full file access via some other means? It sounds to me like you are trying to lock one window when the door is wide open. Either you have a strict security policy (though both administrative and hard access policies), or you don't. Either you trust you admins, or you leave yourself wide open for malicious activity. Multiple admins any one of whom you suspect would ever do what you suggest is not strict security. As StephenB has stated, your implementation has a lot of holes that won't be plugged by this one feature.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
