myQnapCloud and permission

[erahamim]

HI,
I have TS-212 server and I configured it to work with cloud.
Everything works fine but I wounder if there is an ability to limit the users permissions that are accessing the server from the internet.
For example, I don't like the idea that the admin user can logged in from remote. But I don't see any were to configure it that it not allowed.
I want to configure only read only user that will have access to read the files.
Is there a way to limit the access of the admin user from outside network?

[pwilson]

HI,
I have TS-212 server and I configured it to work with cloud.
Everything works fine but I wounder if there is an ability to limit the users permissions that are accessing the server from the internet.
For example, I don't like the idea that the admin user can logged in from remote. But I don't see any were to configure it that it not allowed.
I want to configure only read only user that will have access to read the files.
Is there a way to limit the access of the admin user from outside network?

No there is no way to restrict "admin" access remotely. If users can access it remotely, then "admin" can too.
Yes you can create users with read-only access to your shares.

[pbecks1963]

Hello people,

So what can we do to make our QNAS more secure? I understand that publishing the NAS/services on the web is dangerous in itself (even via https). Is it possible to let admin have it's full rights via the LAN, but with minimal rights via the WAN?

I have already made my router unpingable and disabled the webaccess of the router via WAN. I also restricted the ip/ip-range that can access the web-interface

What more can we do to secure our NAS? (for ex: at work we use "tokens" to have an extra authentication means)

[schumaku]

I understand that publishing the NAS/services on the web is dangerous in itself (even via https).

It's not dangerous - there are some risks: If you want to permit access to NAS services from remote for you, for your family, for a team, ...

Is it possible to let admin have it's full rights via the LAN, but with minimal rights via the WAN?

The problem is not per se admin. You can have other users member of the administrators group, and most likely don't want to lock this down. The predefined or well-known usernames like admin (or say root on U**x in general, Administrator in Windows, ...) offer some wider attack vectors* In my opinion, there must be no admin, no root, or whatever default account (commonly accounts with shared passwords) in place permitting privileged NAS access. Only personal accounts should be permitted for authentication in general.

I have already made my router unpingable....

What for? If prohibiting all ICMP traffic you can even create troubles when it comes the Path MTU Discovery for example.

...and disabled the webaccess of the router via WAN.

Most don't have any usage for it.

I also restricted the ip/ip-range that can access the web-interface

Pretty much impossible when you don't know from where you want to access it...

What more can we do to secure our NAS?

Ensure you have Security -> Network Access Protection for services exposed *Doing so does mitigate a good part of the risk.

(for ex: at work we use "tokens" to have an extra authentication means)

The feature request to add Google 2-Step Verification is open for a while.

Everything pretty much off-subject by the way.

[pbecks1963]

Thnx schumaku.

(i forgot about google authentication)

[pbecks1963]

One more question, is it possible to read-out the file that stores the blocked ip's? (network access protection) I don't see any notifications so far about blocked ip's (could be just lucky?)

Just being curious..

ps: i made my router pingable again

[nac_zero]

Hi people,

I'm planning to buy a qnap nas server for storing files and accessing the files, documents, photos, music files, from internet by multi users.
I wonder if there is an function to limit users and permission related to files or application.
For example, my idea, User A can access all applications and files from internet, User B can access only music files via qMusic.
(I mean that User A is myself as a root user, User B is a my friend who I want to share my music files with.)
Can I configure qnap WAN access as I expect?

Thank you.

[nac_zero]

Hello
I understand that myQnapCloud provides user restriction function by published and private services with access code.
I'd like to set all services "private", no published and in private to give permission in accordance with the kinds of services and users.

Thank you.

[schumaku]

For example, my idea, User A can access all applications and files from internet, User B can access only music files via qMusic.
(I mean that User A is myself as a root user, User B is a my friend who I want to share my music files with.)

Qmusic is the mobile companion app to Music Station. For the basic QTS applications, (and access protocols) you can you can manage application rights on a per (local) user base:

QTS_4.1_Application_Privilege.PNG

I understand that myQnapCloud provides user restriction function by published and private services with access code.

Nope- no user restrictions. All connections and authentications are established direct to your NAS - private services are just protected from being listed publicly on the myQNAPcloud portal, the access code is to make the links visible.

I'd like to set all services "private", no published and in private to give permission in accordance with the kinds of services and users.

You can set all services to private to hide them on the myQNAPcloud portal - there is no user access control beyond of the access code.

Beyond of the portal with its private/public/access key administration (total overkill and misleading...) the service works like yet another DDNS service.

Regards,
-Kurt.