We just got hit with Ransomware last Thursday. It was the .CRYPT version. I have putting the network back together ever since….what a mess. Small company running a Dell server with Windows Server 2008 R2. It was my PC that got hit, since I am network admin, that might have been how it spread to the rest of the desktops and server. It got into out our old NAS, which I had a mapped drive set to and windows crediental manager was remembering the password to the old NAS. I got the Ready NAS for more storage and also to have road blocks between the desktops and NAS. What I am finding is that when I broswe to the NAS in win explore it will ask me for a password…..good…..I do NOT click the box that says remember my password. I close windows exploder. When I open another exploder session and go the NAS it get right in……no password promt? The only time it ask for a password again is when I log off windows or restart. This does not seem very secure. I was expecting the new Ready NAS to help me lock down the acess to the NAS so backups and storage would be safer. If the windows crediental manager does not save the password then where the heck as they being saved at? Is this a READY NAS problem or win problem? Also, I set up a user on the Ready NAS called server and another called John and a share folder called server backups. Through windows if I browse to share on the NAS signed in as John……lets me in…..ok good. Now I want to jump to the server backups folder, the user John does not have permissions to that folder so I sign using the user SERVER but it will not let me in, because either win or NAS thinks I am still JOHN. So I have to go to cmd, enter net use and delete the user John. Now I can sign in to the server backups folder using the server user/account. What am I doing wrong or is this is way is suppose to work?

It sounds like a real mess. I am unclear on whether you are having issues restoring the data, or if you are past that, and just wanting to revisit your network security. Probably the safest approach is to prevent all filesharing protocols on the fully-protected NAS, and have it run backup jobs to reach out to the main NAS for backup. Then enable filesharing only when you are restoring. Of course when the main files are corrupted they will still eventually reach the protected NAS. Off-line storage is therefore still needed. If you have enough space on the protected device you can also enable a single snapshot for each share, which might let you recover the uncorrupted files if they reach the protected NAS before you can stop the backup. You'd need at least 60% free space (not counting snapshot use) in order for this to work, since the NAS will automatically delete the snapshot when the file system gets too full. Cloud backup (for instance crashplan) might also be a useful safety net. FG wrote: I do NOT click the box that says remember my password. I close windows exploder. When I open another exploder session and go the NAS it get right in……no password promt? The only time it ask for a password again is when I log off windows or restart. This is standard windows behavior, and the NAS cannot control it. I don't know of any security policy or registry setting in Windows to prevent it. You can force windows to close all network sessions (and forget any passwords) by opening command and entering "net use * /delete". Though I expect you already know that. Also, I set up a user on the Ready NAS called server and another called John and a share folder called server backups. Through windows if I browse to share on the NAS signed in as John……lets me in…..ok good. Now I want to jump to the server backups folder, the user John does not have permissions to that folder so I sign using the user SERVER but it will not let me in, because either win or NAS thinks I am still JOHN. So I have to go to cmd, enter net use and delete the user John. Now I can sign in to the server backups folder using the server user/account. Again, this behavior is built into windows. There is another trick that sometimes is useful.. Windows treats the NAS IP address and the NAS name as two different machines. So you can access \\nasname with one set of credentials and \\nasipaddress with another.

To your 1st question......At the present I focussing on the security portion of the equation. I like the idea of the cloud, but it would probably take a full day to download a full back up before we could get the store process going. Because what would be considered a "good" download speed 30mbps?.... I am currently use 4----2TB drives with RAID 10, seems like the fastest and most redundant plan. This leaves me 4TB of storage. But I am open to ideas. For me restore speed is more important than storage volume. I think 4TB should cover us for awhile. Windows!!!!!!!!! Sorry, had to get that out...rant completed. Snapshots are read only correct? So, if someone got to the READY NAS they could still take the data from the snapshot, but can't change or delete it, correct? Sounds like I need another 2120. 1 to store backups on and another that is not "shared" that would reach into NAS 1 and make a backup of it. So, I can access the NAS using \\NASname with user account john and \\192.168.123.123 with user account server on the same PC? I will try this as soon as I get in. Is a mapped drive letter anymore or less secure than jumping to the NAS from the "Network" tab in win exploder?

Of course an effective defense from ransomware just means that your next crisis will be from something else :smileyfrustrated: FG wrote: I like the idea of the cloud, but it would probably take a full day to download a full back up before we could get the store process going. Because what would be considered a "good" download speed 30mbps?.... Whether its practical on the backup side does depend on the amount of data churn. Restore will of course take a long time, so I view this as a last-resort option. I use crashplan at home for disaster recovery - my speeds vary greatly, but average closer to 15 mbs than 30. The deduplication does reduce the bandwidth needed (especially for my PC image backups - done with Acronis Trueimage). Note I am not using their enterprise product. FG wrote: Snapshots are read only correct? So, if someone got to the READY NAS they could still take the data from the snapshot, but can't change or delete it, correct? The snapshot is read only (and you can block snapshot access on a share-by-share basis). But that doesn't fully protect it. When the snapshot is created, it actually takes no space. The data blocks are shared with the main share. As files are updated, the original datablocks are in the snapshots alone, with the new data being only in the main share. So if someone over-writes everything in the main share, all the old datablocks end up in the snapshot(s) alone. If the file system gets too full, the NAS will protect itself by deleting the oldest snapshots - the threshold for that is settable, and is defaulted to 90%. That's why I suggested 60% free-space - if everything is overwritten you should still have 20% freespace (with 40% encrypted data and 40% unencrypted snapshots). But even there, if a second snapshot is made and the main data is over-written again by the ransomware (perhaps from a different pc), then the disk will become completely full and the data you need will be deleted. Note if a second snapshot is not made, the new re-write won't increase the space usage on the NAS. For your use case, the NAS is doing exactly the wrong thing when the file system fills - because it deletes the unencrypted data you want to protect. You'd much rather make the BTRFS subvolumes read-only at that point. A configuration option to do that would probably be easy (so perhaps put it into the idea exchange). If you are good with linux tools, there likely are some circuit breakers you could implement that would have a similar result. For instance, you could put a plain-text file in every folder you are backing up. Access that file first, and make sure it still is unencrypted. Then only do the backup if the file hasn't changed. Or do your own monitoring on space usage, and make the volume read-only yourself. FG wrote: Sounds like I need another 2120. 1 to store backups on and another that is not "shared" that would reach into NAS 1 and make a backup of it. That would be a good approach (and at the moment that's an expense that would likely be approved!). FG wrote: So, I can access the NAS using \\NASname with user account john and \\192.168.123.123 with user account server on the same PC? I will try this as soon as I get in. Yes. FG wrote: Is a mapped drive letter anymore or less secure than jumping to the NAS from the "Network" tab in win exploder? The early versions of CryptoLocker encrypted mapped drives but not network shares. So in practice mapped drives might be somewhat safer. Theoretically they are both equally vulnerable. There are other steps (if you google you'll find quite a few suggestions). Some relate to user training (a lot of ransomware vectors in through a phishing email); some relate to blocking use of macros in office. Setting the windows PCs to open JS files by default in notepad is also easy to do, and might prevent a future attack. You might look here: http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/

StephenB wrote:Of course an effective defense from ransomware just means that your next crisis will be from something else A ray of sunshine you are...ha ha For your use case, the NAS is doing exactly the wrong thing when the file system fills - because it deletes the unencrypted data you want to protect. You'd much rather make the BTRFS subvolumes read-only at that point. A configuration option to do that would probably be easy (so perhaps put it into the idea exchange) I'm feeling way outside my depth/paygrade on this current issues.... Could you provide me with a link/screenshot/instructions to set up the BTRFS? I don't know that I fully understand what you are explaining regarding snapshots. If someone gained access to NAS they could copy and huge file to the NAS which would bring it to capacity and render the existing snapshots useless?

So I'm using 4---2TB hard drives with raid 10 config. Once synced up raid 10 with continue to operate with only 2 of the 4 drives. Going the logic that the most protected system is one that is disconnected from the outside world……….bare with me for a sec…….what if I had 6--2TB drives and Monday I come in pull out drive 3 and 4 and set those on the shelf. Next slide in drive 5 and 6 into bays 3&4 on the NAS. 1st, since the NAS can ID the serial # of drives and its knows that serial # for drive 3 is 12345 is the NAS going to bark at me when I slide drive 5 (serial #22222) into bay 3…..where drive3 usually resides? And same thing with drive 6, put it bay 4. Now on Tuesday, I come in and verify that backups from server to NAS were successful….data and network appear to be intact. Once done with that task, I pull drive 5&6 from bay 3&4 on the NAS and set 5&6 on the shelf. Next put drive 3&4 back into the open bays on the NAS. Drives 3&4 are 1 day behind, once put back into the NAS will the data on drives 3&4 be essentially erased and copied over with the data from drive 1&2? In the scenario I am proposing drives 1&2 would be the "master" drives, correct? It wouldn't take the day old data from 3&4 and put it on 1&2 correct? Besides this procedure being a little outside the norm and a little extra wear and tear on the drives themselves are there problem with my idea.

Premissions--- NAS 2120 | NETGEAR Communities

13 Replies

Replies have been turned off for this discussion

StephenB
Guru - Experienced User
Jun 03, 2016
It sounds like a real mess.

I am unclear on whether you are having issues restoring the data, or if you are past that, and just wanting to revisit your network security.

Probably the safest approach is to prevent all filesharing protocols on the fully-protected NAS, and have it run backup jobs to reach out to the main NAS for backup. Then enable filesharing only when you are restoring. Of course when the main files are corrupted they will still eventually reach the protected NAS. Off-line storage is therefore still needed. If you have enough space on the protected device you can also enable a single snapshot for each share, which might let you recover the uncorrupted files if they reach the protected NAS before you can stop the backup. You'd need at least 60% free space (not counting snapshot use) in order for this to work, since the NAS will automatically delete the snapshot when the file system gets too full.

Cloud backup (for instance crashplan) might also be a useful safety net.

FG wrote:

I do NOT click the box that says remember my password. I close windows exploder. When I open another exploder session and go the NAS it get right in……no password promt? The only time it ask for a password again is when I log off windows or restart.

This is standard windows behavior, and the NAS cannot control it. I don't know of any security policy or registry setting in Windows to prevent it.

You can force windows to close all network sessions (and forget any passwords) by opening command and entering "net use * /delete". Though I expect you already know that.

Also, I set up a user on the Ready NAS called server and another called John and a share folder called server backups. Through windows if I browse to share on the NAS signed in as John……lets me in…..ok good. Now I want to jump to the server backups folder, the user John does not have permissions to that folder so I sign using the user SERVER but it will not let me in, because either win or NAS thinks I am still JOHN. So I have to go to cmd, enter net use and delete the user John. Now I can sign in to the server backups folder using the server user/account.

Again, this behavior is built into windows. There is another trick that sometimes is useful.. Windows treats the NAS IP address and the NAS name as two different machines. So you can access \\nasname with one set of credentials and \\nasipaddress with another.
- FG
  Aspirant
  Jun 03, 2016
  
  To your 1st question......At the present I focussing on the security portion of the equation.
  
  I like the idea of the cloud, but it would probably take a full day to download a full back up before we could get the store process going. Because what would be considered a "good" download speed 30mbps?....
  
  I am currently use 4----2TB drives with RAID 10, seems like the fastest and most redundant plan. This leaves me 4TB of storage. But I am open to ideas. For me restore speed is more important than storage volume. I think 4TB should cover us for awhile.
  
  Windows!!!!!!!!! Sorry, had to get that out...rant completed.
  
  Snapshots are read only correct? So, if someone got to the READY NAS they could still take the data from the snapshot, but can't change or delete it, correct?
  
  Sounds like I need another 2120. 1 to store backups on and another that is not "shared" that would reach into NAS 1 and make a backup of it.
  
  So, I can access the NAS using \\NASname with user account john and \\192.168.123.123 with user account server on the same PC? I will try this as soon as I get in.
  
  Is a mapped drive letter anymore or less secure than jumping to the NAS from the "Network" tab in win exploder?
  - StephenB
    Guru - Experienced User
    Jun 03, 2016
    Of course an effective defense from ransomware just means that your next crisis will be from something else :smileyfrustrated:
    
    FG wrote:
    
    I like the idea of the cloud, but it would probably take a full day to download a full back up before we could get the store process going. Because what would be considered a "good" download speed 30mbps?....
    
    Whether its practical on the backup side does depend on the amount of data churn. Restore will of course take a long time, so I view this as a last-resort option. I use crashplan at home for disaster recovery - my speeds vary greatly, but average closer to 15 mbs than 30. The deduplication does reduce the bandwidth needed (especially for my PC image backups - done with Acronis Trueimage). Note I am not using their enterprise product.
    
    FG wrote:
    
    Snapshots are read only correct? So, if someone got to the READY NAS they could still take the data from the snapshot, but can't change or delete it, correct?
    
    The snapshot is read only (and you can block snapshot access on a share-by-share basis). But that doesn't fully protect it. When the snapshot is created, it actually takes no space. The data blocks are shared with the main share. As files are updated, the original datablocks are in the snapshots alone, with the new data being only in the main share. So if someone over-writes everything in the main share, all the old datablocks end up in the snapshot(s) alone.
    
    If the file system gets too full, the NAS will protect itself by deleting the oldest snapshots - the threshold for that is settable, and is defaulted to 90%. That's why I suggested 60% free-space - if everything is overwritten you should still have 20% freespace (with 40% encrypted data and 40% unencrypted snapshots). But even there, if a second snapshot is made and the main data is over-written again by the ransomware (perhaps from a different pc), then the disk will become completely full and the data you need will be deleted. Note if a second snapshot is not made, the new re-write won't increase the space usage on the NAS.
    
    For your use case, the NAS is doing exactly the wrong thing when the file system fills - because it deletes the unencrypted data you want to protect. You'd much rather make the BTRFS subvolumes read-only at that point. A configuration option to do that would probably be easy (so perhaps put it into the idea exchange).
    
    If you are good with linux tools, there likely are some circuit breakers you could implement that would have a similar result. For instance, you could put a plain-text file in every folder you are backing up. Access that file first, and make sure it still is unencrypted. Then only do the backup if the file hasn't changed. Or do your own monitoring on space usage, and make the volume read-only yourself.
    
    FG wrote:
    
    Sounds like I need another 2120. 1 to store backups on and another that is not "shared" that would reach into NAS 1 and make a backup of it.
    
    That would be a good approach (and at the moment that's an expense that would likely be approved!).
    
    FG wrote:
    
    So, I can access the NAS using \\NASname with user account john and \\192.168.123.123 with user account server on the same PC? I will try this as soon as I get in.
    
    Yes.
    
    FG wrote:
    Is a mapped drive letter anymore or less secure than jumping to the NAS from the "Network" tab in win exploder?
    
    The early versions of CryptoLocker encrypted mapped drives but not network shares. So in practice mapped drives might be somewhat safer. Theoretically they are both equally vulnerable.
    
    There are other steps (if you google you'll find quite a few suggestions). Some relate to user training (a lot of ransomware vectors in through a phishing email); some relate to blocking use of macros in office. Setting the windows PCs to open JS files by default in notepad is also easy to do, and might prevent a future attack. You might look here: http://blogs.microsoft.com/cybertrust/2016/04/22/ransomware-understanding-the-risk/

Forum Discussion

Premissions--- NAS 2120

13 Replies

Related Content

Ready NAS 102 app problem

Readynas 2120 V2

ReadyNAS 2120 Missing diskspace

RN-104 NAS

READY NAS 104

NETGEAR Academy

ProSupport for Business