WDTV Streaming Read Access rights vs. Admin Write Backup

It is definitely a good idea to think about security now.

You might try changing the "everyone " access to read-only on the media shares, and uncheck it altogether on the backup folders (also unchecking "allow anonymous access). You do that on the access tab of the share settings. That should solve the issue with the WDTV without needing to give it a special account. You will need to change "everyone access" anyway if you want to prevent anonymous users from seeing or deleting files.

That will likely also have the same effect on the PCs if I understand your setup correctly - so you would either need to use your existing admin account for them, or create one or more user accounts.

-By default, Windows presents your windows user/password to the NAS when you connect. If that user name is not configured on the NAS, you get anonymous access. You can over-ride this default behavior using the windows credential's manager (in the control panel for Win7, Win8). It also exists in other windows versions, but is a bit harder to find. Anyway, you specify the NAS name or IP address (name is better) and set the username/password you want to use.

So you have several options:

(a) leave everything as is, and don't worry about the WDTV writing back.

(b) Change settings for "everyone" access on the NAS as noted above, and use windows credentials manager to tell your PCs to use your existing admin account. If the PC logon name is "admin' already, the PC might not remember the password correctly on restart - in which case you will need to re-enter it. (Vista has that problem, not sure about other versions of Windows).

(c) Change settings for "everyone" access on the NAS as noted above, create a single user account on the NAS for all PCs to share and use windows credentials manager to tell all your PCs to use that user/pass when using the NAS.

(d) Change settings for "everyone" access on the NAS as noted above, create a user account for each PC that matches their existing windows user/password. Whenever you change the PC password, you'll need to change it on the NAS as well.

(e) change settings for "everyone' to totally block anonymous access to every share. Create a WDTV account for the WDTV. Create a user account for each PC that matches their windows user/password (leaving all accounts in the user group). Explicitly configure access rights for each user to each share.

(f) change settings for "everyone' to totally block anonymous access. Create a WDTV account and "mediaplayer" group for the WDTV. Create a user account for each PC that matches their windows user/password (leaving them in the user group). Use Group access controls for each share to specify read/write access to it. If you get more mediaplayers in the future, create accounts for them in the mediaplayer group.

Personally I just use (a) at home. My wife and I are the only users, and my various gadgets (mediaplayers, etc) have never done any damage to my files.

(b) and (c) are also fairly simple and I think provide the security you are looking for, and have the benefit that the files in the shares will all have the same owner.

(d)-(f) are workable, but in my view are more appropriate for enterprise. However, if family members have private files (for instance if you have kids and want to limit their access), and everyone uses their own PC account already, then those methods might be the right ones for you.

BTW, I have two general suggestions for your new NAS:
(1) work out a backup strategy and back it up regularly. RAID-1 is not sufficient to protect your data. A USB or eSATA drive will work (ideally two drives that you swap every week).
(2) Get a UPS for your NAS. A lot of issues we see here start with a power failure. Most UPS have a USB connector that you plug into the NAS (so the NAS will monitor it, and shut down when the UPS battery drains). Make sure you get one that has that connector.

Stephen,

Thanks for that great reply! It really helps a lot. Definitely have a UPS on it and plan to backup. RAID 1 better than no mirror, but things still go wrong.
One basic question on the readynas. Is the same login I use to get to my os6 login and management screen via a web browser also the admin login that would allow me to get to any folder I want with windows (file) explorer with read/write access? So if I change things and I get a popup, that is already my admin login?

As far as the username strategy, I do not have any login or passwords setup on my home computers. My firewall and router does not allow remote access.
The PC's even share the same username (who is the admin although the name is not "admin") so that remote desktop (only from INSIDE the house, never outside) works without having to login, etc. My regular bootup for each PC, no login, no username, no login prompt. Main PC that will use the NAS is windows 7.

And clearly any cloud or remote access (and that is a ways off) would be a separate login for sure.

Does that change your recommended answer? I am leaning towards B and C.

And if I do add the windows credentials I assume that won't change my windows bootup and prompt for a password. It would just use them when I try to connect to the NAS. I did a little research on how to do it, but all I saw was posts about how windows forgets the credentials. :D I know the static IP, etc. so it does not look that difficult to setup if it works.

All of this kind of makes me wonder if that NAS would every be available for a "bare metal" restore of a Ghost (actually SSR2013) image. Windows would allow me to make the image there via credentials but I wonder if a bootup CD to restore would be that smart. Minor issue, could always just copy the image.

Glad I asked about this, this is almost like thinking about enterprise-security but I would rather keep it simple if possible.


Thanks,
BJB

BJB wrote:
...Is the same login I use to get to my os6 login and management screen via a web browser also the admin login that would allow me to get to any folder I want with windows (file) explorer with read/write access?

Yes.

BJB wrote:

...As far as the username strategy, I do not have any login or passwords setup on my home computers. My firewall and router does not allow remote access. The PC's even share the same username (who is the admin although the name is not "admin") so that remote desktop (only from INSIDE the house, never outside) works without having to login, etc. My regular bootup for each PC, no login, no username, no login prompt. Main PC that will use the NAS is windows 7. And clearly any cloud or remote access (and that is a ways off) would be a separate login for sure. Does that change your recommended answer? I am leaning towards B and C.

No, it wouldn't change my answer. B or C would be fine. One small clarification - Each user shown on OS6 gets a private share. You will only see that in Windows Explorer if you log in as that user. Admin can see it from the Web UI (and SSH), but not from Windows Explorer. Personally I think that's a bug, we'll see if it changes. That might tip you towards B.

BJB wrote:
...And if I do add the windows credentials I assume that won't change my windows bootup and prompt for a password. It would just use them when I try to connect to the NAS....

Correct. BTW, the only PC we have where Windows "forgets" the credentials is our Vista Desktop. That system is set to bootup as admin (and like your systems has no password). Every reboot I need to enter the user/password manually once. My 2 Windows 7 systems and the XP system don't have that problem. I'm not sure if it is "admin" as user name that makes Windows forgetful, or if it is something about Vista.

BJB wrote:
All of this kind of makes me wonder if that NAS would every be available for a "bare metal" restore of a Ghost (actually SSR2013) image. Windows would allow me to make the image there via credentials but I wonder if a bootup CD to restore would be that smart. Minor issue, could always just copy the image.

I restored from Acronis image backups a couple of times over the past 2-3 years, and the credentials were kept.

BJB wrote:
...this is almost like thinking about enterprise-security but I would rather keep it simple if possible.

Agreed. Just having consolidated storage pushes you a bit in that direction. Add in remote access over the internet (whether cloud or port-forwarding] with PCs and mobile devices, and you get pushed further in that direction. Keeping it simple is good, but I agree that home uses do end up needing to think more about security. I'm thinking that consumer routers will end up with VPN support (today it is a small business feature). That will help.

Got it! If I restrict write access to the WDTV via option b) or c), will it still be able to write any metada it finds say for a movie search? I assume it tries to store that on the NAS where it got the movie file from. Just thought about that....

BJB wrote: ...Is the same login I use to get to my os6 login and management screen via a web browser also the admin login that would allow me to get to any folder I want with windows (file) explorer with read/write access?Yes.

Per the above....I restricted my "everyone" access on a share and then tried to access it from the PC. As expected a login popped up. I used the same username and password I use to login to the NAS (the "admin" login) and it would not give me access. I also tried to set it up in windows credentials and the same popup would not give me access. There is one popup that asks for the network password for the NAS...I provide the "admin" username and my password, then another popup asks for the "network password" to connect to the NAS. This is the typical windows username pref-filled in and a password box. My password won't get me past this to connect.

Since you said my admin account would not get me to the files via explorer, do I take this to mean I should just setup my own new user say called "admin" and give it access to everything and then windows and windows explorer could connect to this new "user"?

Thanks...sorrry for the additional questions. I understood exactly what you said, it is just not responding as expected.

BJB





BJB

BJB wrote:
Got it! If I restrict write access to the WDTV via option b) or c), will it still be able to write any metada it finds say for a movie search? I assume it tries to store that on the NAS where it got the movie file from. Just thought about that....

If you deny it write access, then of course it will not be able to store anything on the NAS. That includes meta-data.

BJB wrote:

...I restricted my "everyone" access on a share and then tried to access it from the PC. As expected a login popped up. I used the same username and password I use to login to the NAS (the "admin" login) and it would not give me access. I also tried to set it up in windows credentials and the same popup would not give me access. There is one popup that asks for the network password for the NAS...I provide the "admin" username and my password, then another popup asks for the "network password" to connect to the NAS. This is the typical windows username pref-filled in and a password box. My password won't get me past this to connect.

My RN102 is open - I'll need to check this. It shouldn't be doing that. It sounds like the first password entry was rejected.

BJB wrote:
Since you said my admin account would not get me to the files via explorer, do I take this to mean I should just setup my own new user say called "admin" and give it access to everything and then windows and windows explorer could connect to this new "user"?

Let me try again. If you add a user XXX to the NAS, then when that users browses the NAS share list (for instance by entering \\NASNAME in windows explorer) he will see a share called XXX.

Similarly user YYY will see a share called YYY. They will not see each other's shares. If you use the admin username, you also will not see XXX or YYY. You will see an admin share. These shares are called "private" shares, and there is no way for one user to access another user's private share from Windows. Personally I think that is a bug. Admin should be able to see everything. On older ReadyNAS you can browse the entire volume as admin - which in my view is the correct behavior.

BJB wrote:

Per the above....I restricted my "everyone" access on a share and then tried to access it from the PC. As expected a login popped up. I used the same username and password I use to login to the NAS (the "admin" login) and it would not give me access. I also tried to set it up in windows credentials and the same popup would not give me access. There is one popup that asks for the network password for the NAS...I provide the "admin" username and my password, then another popup asks for the "network password" to connect to the NAS. This is the typical windows username pref-filled in and a password box. My password won't get me past this to connect...

I changed SMB security for an RN102-hosted share. Everyone is not checked, admin and one other user are set to read/write.

I can access that share correctly using admin credentials - no password prompt appears.

StephenB wrote:

BJB wrote: Per the above....I restricted my "everyone" access on a share and then tried to access it from the PC. As expected a login popped up. I used the same username and password I use to login to the NAS (the "admin" login) and it would not give me access. I also tried to set it up in windows credentials and the same popup would not give me access. There is one popup that asks for the network password for the NAS...I provide the "admin" username and my password, then another popup asks for the "network password" to connect to the NAS. This is the typical windows username pref-filled in and a password box. My password won't get me past this to connect... I changed SMB security for an RN102-hosted share. Everyone is not checked, admin and one other user are set to read/write. I can access that share correctly using admin credentials - no password prompt appears.

I have the exact same share settings. Only read/write on this one share (backup) is on admin.
When I click on admin in explorer, it asks for username and password. I put it in, and NOW, I get the generic windows box that says "NAS is not accessible. you might now have permission.........".

So it is not respecting the fact that I have logged in as admin from windows for some reason. Again, not sure if it matters that I have no windows username or password setup.

Perhaps I need to setup a user called "admin2" or something and login from the computer as that specific user for windows use. But I have no idea why admin does not work. Of course admin via the web does get me in, etc...

Does the domain matter? Windows is listing as the domain my PC name....but I can't change that.

If I go back and open up the sharing for that folder then I can get back to it again in windows.

BJB

BJB wrote:
Does the domain matter? Windows is listing as the domain my PC name....but I can't change that.

You should be able to change it, but I don't think it matters. It's not really a domain, it is the machine name in this case. I believe the NAS is ignoring it.

On the NAS do you have authentication set to "local users"? (that is what it should be set to). The authentication tab is on the accounts page. While you are there, you might also set the workgroup to match the workgroup name on your PCs.

StephenB wrote:

BJB wrote: Does the domain matter? Windows is listing as the domain my PC name....but I can't change that. You should be able to change it, but I don't think it matters. It's not really a domain, it is the machine name in this case. I believe the NAS is ignoring it. On the NAS do you have authentication set to "local users"? (that is what it should be set to). The authentication tab is on the accounts page. While you are there, you might also set the workgroup to match the workgroup name on your PCs.

On the Accounts>Authentication page, I do in fact have workgroup name set to the same workgroup as my network. I also have "Access Type" set to "Local Users".

I was also looking under shares again....I noticed under security they are at the default settings of "guest" for owner and group and Folder owner, folder group, and folder everyone rights are "read/write". Should that folder owner (of the folder I only want PC/admin acccess to) be admin? It is strange that the choice is typed in and not a drop-down. I never changed these. However on the access page again, I just have "admin" checked for read/write.

I appreciate you continuing to try to help me figure this out. I've been able to setup windows networks with multiple versions back to 3.1 and even mixed-window-version networking groups, but I can't seem to figure this out...which should be simpler!

Thanks again,
BJB

guest is the default owner the RN102 uses. (it has the same uid as the linux "nobody" account).

My shares are set to admin/admin. So it might be useful to try that.

BTW, though the choices are typed, they are checked - you should get an error if you type a non-existent user or group.