This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
I am setting up user access on my RN424 and was looking what I setup so long ago on my RN104 that I barely remember why or if I really knew what I was doing!
On the RN104 I have used the default Music, Pictures, and Video shares for access from PC and from an in-home Minix Streamer. The access I have on those is "allow anonymous access" and I have read/write for "everyone" and of course read/write for admin. I believe those were the settings I decided on in order to have everything access those shares easily. For example I vaguely remember my first WD streamer needed to write thumbnails back to the NAS so it needed write access. Not sure on the Minix.
Then I setup a share I created "backup" with a new user that I setup with a password and I gave that user read/write to the backup share along with admin. So when I access that the first time from a PC or with my PC-based backup program I have to put in that password and that is the only use for that folder.
I am just wondering if that is a reasonable way to setup shares from a security and access standpoint on my new RN424? I currently do not use any cloud capabilities but am considering it if that matters. Maybe phone backups and such.
Also since I am going to be copying and Rsyncing from NAS to NAS, does that impact my share setup or read/write access? So if I am backing up/syncing a share from one NAS to the other directly do they need the same access?
I was just going to mimic what I did on the old on the new but thought I should check at this early stage. I plan to make the RN424 my primary NAS (so some streaming and backups) and the RN104 will become mostly just for backups.
If I am understanding your post, once on Fall Creator's update I will have to create two sets of credentials on windows, and I have the windows link on how to do that. But will that be for guest/everyone, admin, or another netgear user I need to setup? One for IP-based access and one for NAS name access?
Windows Vista, Windows 7 - 10 all have the Credential Manager.
You can use the NAS admin account when you want full read/write access (and those are the credentials I've stored in my PCs).
You'd want to create another user on the NAS for the read-only use case. Use the default USER group for this account.
It sounds like you also would want to keep everyone guest access in the NAS for the Minix player at least - changing it to read-only (like the secondary user).
So everyone/guest and the USER group would be set for read access; and the admin group would have full access. There's no harm in also adding the admin account with full access, and the secondary user for read access.
The last part is how to manage the combination of read-only access for some PC users, but full read-write access for you. That's where the hostname vs ip-address trick comes in handy. You can store the admin credentials for the IP address, which will give you (or anyone else) automatic read-write access when you enter \\nas-ip-addressinto file manager. Use the secondary (read-only) user credentials for the hostname, which gives you (or anyone else) read-only access when entering \\nas-host-name. Just be careful to close your full-access windows when you are done.
Any user accounts you create should have the same UID assigned on both NAS. Also, and groups you create should have the same GID. That ensures that the file ownership attributes will be understood the same way in both ReadyNAS.
It usually works out better if you keep the file access as read/write for everyone, and manage access via the network access settings alone.
My main NAS is set up to allow guest read/write access (depending on the edge security applied by my router). Though Microsoft is gradually tightening guest access in Windows, so you could consider simply adding NAS account credentials in the PCs so that guest access isn't needed. You can create one credential for use when accessing the NAS by IP address and a second one when accessing the NAS by its hostname - that trick overcomes the Windows limitation of only allowing one credential to be used at a time.
But if Minix player doesn't allows you to enter SMB credentials for the NAS, then you will still need guest access enabled. Note that if your Minix streamer uses DLNA, then the SMB network permissions are not relevant. DLNA doesn't include any access controls.
On the backup, you can disable SMB, etc and just enable Rsync for backup. Enable custom snapshots on the backup to help recovery of deleted files on the main NAS (custom snapshots gives you control over the retention). This approach provides reasonable isolation from malware attacks (since Windows and OSX don't include rsync). Of course you would need to immediately disable scheduled backup jobs if malware were to reach the main NAS.
Thanks. Looking ahead to when I upgrade windows to the Fall Creator's edition, I want to set this up to avoid problems there too.
I understand about restricting access in the network access tab and not the file access tab. I think I did that, just didn't know it or explain it.
None of my PC's in the house have logins or passwords for windows and are a mix of windows versions. All do not need to access the NAS all the time, mostly the Win10 machine does and it is the only one that needs write access. I use SAMBA on Minix and guest access I believe.
If I am understanding your post, once on Fall Creator's update I will have to create two sets of credentials on windows, and I have the windows link on how to do that. But will that be for guest/everyone, admin, or another netgear user I need to setup? One for IP-based access and one for NAS name access?
My original premise for setting up a username and password for my backup folder was that no one else in the house could access those images and accidentally delete them.
For Videos, Music, and Photos, I would want read/write and similarly I would not want others to be able to delete them, but would want them easily read. I guess on the new NAS I could have the same result by only using the Admin username and password (so the same one I log into the Netgear GUI with) on the Windows 10 machine that needs read/write to all, and for the other machines just let them default to "guest" for now. Perhaps I do not need to setup a third login?
I guess the only flaw there is if "everyone and guest and anonymous" (not sure of the differences) have write access. Then anyone could theoretically delete stuff.
Sorry, feel like I am almost at the finish line but not quite there!
If I am understanding your post, once on Fall Creator's update I will have to create two sets of credentials on windows, and I have the windows link on how to do that. But will that be for guest/everyone, admin, or another netgear user I need to setup? One for IP-based access and one for NAS name access?
Windows Vista, Windows 7 - 10 all have the Credential Manager.
You can use the NAS admin account when you want full read/write access (and those are the credentials I've stored in my PCs).
You'd want to create another user on the NAS for the read-only use case. Use the default USER group for this account.
It sounds like you also would want to keep everyone guest access in the NAS for the Minix player at least - changing it to read-only (like the secondary user).
So everyone/guest and the USER group would be set for read access; and the admin group would have full access. There's no harm in also adding the admin account with full access, and the secondary user for read access.
The last part is how to manage the combination of read-only access for some PC users, but full read-write access for you. That's where the hostname vs ip-address trick comes in handy. You can store the admin credentials for the IP address, which will give you (or anyone else) automatic read-write access when you enter \\nas-ip-addressinto file manager. Use the secondary (read-only) user credentials for the hostname, which gives you (or anyone else) read-only access when entering \\nas-host-name. Just be careful to close your full-access windows when you are done.
Just curious about "everyone". Everyone is not a user in the "accounts" tab.
Does an "everyone" setting override all settings you might have for other users?
For example right now on my new NAS I have not setup anyone as a new user. Just admin (which theoretically requires a password). However I can see my new NAS and add/delete files.
I assume this is because "everyone" has read/write access and because by default anonymous access is allowed?
For example right now on my new NAS I have not setup anyone as a new user. Just admin (which theoretically requires a password). However I can see my new NAS and add/delete files.
I assume this is because "everyone" has read/write access and because by default anonymous access is allowed?
Yes.
If anonymous access were not allowed, then any user account on the NAS would have full access, but you wouldn't be able to access the NAS if you weren't using the credentials from a NAS user account.
Also, anonymous access only applies the windows logon doesn't match a user account on the NAS - which is different from using a logon with the wrong password. For instance if your PC used admin as the username but had a different password than the NAS admin account, then you would be denied access - even if anonymous access was allowed.
