NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
User Account Share Access Best Practices
I am setting up user access on my RN424 and was looking what I setup so long ago on my RN104 that I barely remember why or if I really knew what I was doing! :smileyhappy:
On the RN104 I have used the default Music, Pictures, and Video shares for access from PC and from an in-home Minix Streamer. The access I have on those is "allow anonymous access" and I have read/write for "everyone" and of course read/write for admin. I believe those were the settings I decided on in order to have everything access those shares easily. For example I vaguely remember my first WD streamer needed to write thumbnails back to the NAS so it needed write access. Not sure on the Minix.
Then I setup a share I created "backup" with a new user that I setup with a password and I gave that user read/write to the backup share along with admin. So when I access that the first time from a PC or with my PC-based backup program I have to put in that password and that is the only use for that folder.
I am just wondering if that is a reasonable way to setup shares from a security and access standpoint on my new RN424? I currently do not use any cloud capabilities but am considering it if that matters. Maybe phone backups and such.
Also since I am going to be copying and Rsyncing from NAS to NAS, does that impact my share setup or read/write access? So if I am backing up/syncing a share from one NAS to the other directly do they need the same access?
I was just going to mimic what I did on the old on the new but thought I should check at this early stage. I plan to make the RN424 my primary NAS (so some streaming and backups) and the RN104 will become mostly just for backups.
Thanks for any suggestions.
BJB
BJB wrote:
Stephen,
If I am understanding your post, once on Fall Creator's update I will have to create two sets of credentials on windows, and I have the windows link on how to do that. But will that be for guest/everyone, admin, or another netgear user I need to setup? One for IP-based access and one for NAS name access?
Windows Vista, Windows 7 - 10 all have the Credential Manager.
You can use the NAS admin account when you want full read/write access (and those are the credentials I've stored in my PCs).
You'd want to create another user on the NAS for the read-only use case. Use the default USER group for this account.
It sounds like you also would want to keep everyone guest access in the NAS for the Minix player at least - changing it to read-only (like the secondary user).
So everyone/guest and the USER group would be set for read access; and the admin group would have full access. There's no harm in also adding the admin account with full access, and the secondary user for read access.
The last part is how to manage the combination of read-only access for some PC users, but full read-write access for you. That's where the hostname vs ip-address trick comes in handy. You can store the admin credentials for the IP address, which will give you (or anyone else) automatic read-write access when you enter \\nas-ip-address into file manager. Use the secondary (read-only) user credentials for the hostname, which gives you (or anyone else) read-only access when entering \\nas-host-name. Just be careful to close your full-access windows when you are done.
5 Replies
Replies have been turned off for this discussion
Any user accounts you create should have the same UID assigned on both NAS. Also, and groups you create should have the same GID. That ensures that the file ownership attributes will be understood the same way in both ReadyNAS.
It usually works out better if you keep the file access as read/write for everyone, and manage access via the network access settings alone.
My main NAS is set up to allow guest read/write access (depending on the edge security applied by my router). Though Microsoft is gradually tightening guest access in Windows, so you could consider simply adding NAS account credentials in the PCs so that guest access isn't needed. You can create one credential for use when accessing the NAS by IP address and a second one when accessing the NAS by its hostname - that trick overcomes the Windows limitation of only allowing one credential to be used at a time.
But if Minix player doesn't allows you to enter SMB credentials for the NAS, then you will still need guest access enabled. Note that if your Minix streamer uses DLNA, then the SMB network permissions are not relevant. DLNA doesn't include any access controls.
On the backup, you can disable SMB, etc and just enable Rsync for backup. Enable custom snapshots on the backup to help recovery of deleted files on the main NAS (custom snapshots gives you control over the retention). This approach provides reasonable isolation from malware attacks (since Windows and OSX don't include rsync). Of course you would need to immediately disable scheduled backup jobs if malware were to reach the main NAS.
Stephen,
Thanks. Looking ahead to when I upgrade windows to the Fall Creator's edition, I want to set this up to avoid problems there too.
I understand about restricting access in the network access tab and not the file access tab. I think I did that, just didn't know it or explain it.
None of my PC's in the house have logins or passwords for windows and are a mix of windows versions. All do not need to access the NAS all the time, mostly the Win10 machine does and it is the only one that needs write access. I use SAMBA on Minix and guest access I believe.
If I am understanding your post, once on Fall Creator's update I will have to create two sets of credentials on windows, and I have the windows link on how to do that. But will that be for guest/everyone, admin, or another netgear user I need to setup? One for IP-based access and one for NAS name access?
My original premise for setting up a username and password for my backup folder was that no one else in the house could access those images and accidentally delete them.
For Videos, Music, and Photos, I would want read/write and similarly I would not want others to be able to delete them, but would want them easily read. I guess on the new NAS I could have the same result by only using the Admin username and password (so the same one I log into the Netgear GUI with) on the Windows 10 machine that needs read/write to all, and for the other machines just let them default to "guest" for now. Perhaps I do not need to setup a third login?
I guess the only flaw there is if "everyone and guest and anonymous" (not sure of the differences) have write access. Then anyone could theoretically delete stuff.
Sorry, feel like I am almost at the finish line but not quite there! :smileyhappy:
BJB
BJB wrote:
Stephen,
If I am understanding your post, once on Fall Creator's update I will have to create two sets of credentials on windows, and I have the windows link on how to do that. But will that be for guest/everyone, admin, or another netgear user I need to setup? One for IP-based access and one for NAS name access?
Windows Vista, Windows 7 - 10 all have the Credential Manager.
You can use the NAS admin account when you want full read/write access (and those are the credentials I've stored in my PCs).
You'd want to create another user on the NAS for the read-only use case. Use the default USER group for this account.
It sounds like you also would want to keep everyone guest access in the NAS for the Minix player at least - changing it to read-only (like the secondary user).
So everyone/guest and the USER group would be set for read access; and the admin group would have full access. There's no harm in also adding the admin account with full access, and the secondary user for read access.
The last part is how to manage the combination of read-only access for some PC users, but full read-write access for you. That's where the hostname vs ip-address trick comes in handy. You can store the admin credentials for the IP address, which will give you (or anyone else) automatic read-write access when you enter \\nas-ip-address into file manager. Use the secondary (read-only) user credentials for the hostname, which gives you (or anyone else) read-only access when entering \\nas-host-name. Just be careful to close your full-access windows when you are done.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
