FreshRSS

🔒
❌ À propos de FreshRSS
Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierFlux principal

QNAP NAS Security Check List – 23 Different Ways to Secure Your NAS

21 octobre 2022 à 18:00

QNAP NAS Security Check List – 23 Vital Steps to Secure Your NAS

It must be frustrating to hear about all ransomware and other kinds of attacks on QNAP. Especially if you plan to buy one or own a NAS already. In simple terms, you need to treat your NAS just like your computer. You would not risk going online without an antivirus installed on your Windows PC. Nowadays, Microsoft has built-in antivirus, but systems like NAS do not follow the same route. This is something you need to do manually just like in the olden days. And there are a lot more risks to consider when exposing your server to the internet. At best few brands like Synology will have built-in security advisor software. This will scan the system and notify you about all weak areas in your setup. But even that is not perfect. In this article, I will try to write from a hacker’s perspective. How would they think and what strategies they will use to attack your home network and your NAS.

How hackers attack your NAS?

NAS Security Checklist

How do you secure your NAS?

Bonus – How to secure your Network?

What are the ways your system can be attacked?

There are dozen of different kinds of methods to attack. But there are only a few that actually can affect a big number of NAS users. The rest of the attacks are very targeted at a single victim. Something for unique personal benefit. So the most popular attacks will be explained later in this article.

How does a hacker know I have a NAS?

They won’t until you tell them you have one. Hackers tell robots to scan every single IP in the world on daily bases. This is a single ping (something like saying Hello to a person). By default, devices are configured to reply with hello if they hear the ping. This is where hackers will initiate an open port scan which we will talk about in the next chapter.

Why do I have open ports?

Ports are like doors to different departments in your office. Something like IT office (NAS control panel), The Office Canteen (NAS multimedia apps), HR (NAS email and databases), the dispatch office (file transfer protocols) and so on. Random people pressing buttons on the control panel could cause the company to collapse. In order to keep people out, we use keycards (NAS user authentication).

Some of the door names (ports) are very specific to a certain NAS. This is how hackers can guess what kind of NAS you own.

A simple scan from online   https://pentest-tools.com  (check your IP) would check the most common ports and tell you if they are open.

A remote scan from a MAC terminal using the command nmap would show not just a few, but all single ports open.

Why open ports are potentially dangerous?

With additional commands like ‘vuln’, and ‘exploit’ hackers will check for software vulnerabilities. All services need regular updates. If not updated specific scripts will detect an outdated service and will allow hackers to abuse it. Similar to having an office key 🔑 that is 100 years old. Even kids could break in.

So your first defence here is your router. If you have not opened any ports since you received your modem/router from your broadband company you should be safe.

But it is worth checking those ports. When you log into your NAS as an admin you can tell your router to open ports. This will be called Port Forwarding. Be careful what you click. There is nothing wrong with open ports if you have security set up. I will talk about security configuration later on.

Here is a list of QNAP default ports link And here is Synology.

 

Brute force

Now when hackers know you have a NAS with certain ports open, they can start the most basic attack which is guessing your password.

They will try the most common usernames and passwords (such as Admin Password).

 

Where do hackers find my passwords?

First of all, they will use robots to try every single word inside the dictionary.

There are lists of stolen user names and passwords available on the black market for hackers to buy. You can check if any of your passwords are being sold here https://haveibeenpwned.com or here https://www.avast.com/hackcheck/

When someone is asked to replace or improve the password people so often simply capitalise the first letter, then add the number 1 and ! mark at the end of the password. Of course, hackers will try all stolen passwords with this modified version of it.

 

Phishing Attack

This is more popular among targeted attacks where people gain access to your personal data which is priceless. Since this attack is more profitable hackers can spend more time on every person individually. They would normally send you an email that looks very similar to QNAP official emails. They will say something like “your password is compromised, please change it here”. Then they will ask for old password and the new one. This is where they steal your password because you landed on hackers website that looks like QNAP. Always make sure URL is actually QNAP and not something like QNAPpp.com.

 

MAN in the middle 

Another popular phishing method is in places with Public Wifi (coffee shops, trains etc ). Man in the middle can see all data you send and receive if you don’t use HTTPS in URL. Hackers can also direct you to the page that again looks similar to QNAP page where you put your password in. But actually, it’s hackers website. Never access your important stuff or log into anywhere from free wifi EVER!

 

Zero-Day Exploit

Every piece of software becomes vulnerable with time. Either it is an Operating system or individual apps. Zero-day exploit means that there is a way to break into a system because there is no patch created or the patch has been installed on a particular system. So this makes it a ticking time bomb. They don’t even need your username and password.

It depends on each company how they deal will vulnerabilities. Some companies run Security Bug Bounty Program and some don’t. When a hacker finds a new security hole in the system they have to make a choice. Either they sell this information to a NAS brand or they sell this information to the black market. Or sometimes people simply share vulnerability info for free here https://www.cvedetails.com/vulnerability-list/vendor_id-10080/QNAP.html .

It is up to each brand how quickly they make a patch for each hole. Until there then you either need to disable the service or add another layer of security that doesn’t allow hackers to take advantage of this security hole.

You can scan your network for vulnerabilities and exploits using NMAP command.

 

Or for the visual interface, you can use Zenmap.

 

 

What about other attack types?

Malware Attacks

This will be vare rare occasion to get an actual virus. This usually happens with computers when you try to open a suspicious email attachment file. It could be zip or exe file or similar. On a NAS this could happen when manually installing OS or app. Instead of using AppStore or automated updates.

These viruses include worms, spyware, ransomware, adware, and trojans. This could be done via cheap smart plugs from China or elsewhere if you connect them in the same network (it’s good practice to connect them via guest wifi).

How To Choose The Right Settings to Secure Your NAS?

How do you secure your NAS

Now it’s time to go through the checklist and make sure your NAS is safe. You do not need to tick all of the boxes on the checklist. You start with the top and make your way down. The lower you get, the more secure your system gets.

Security Level Protects against
BASIC

  • A strong password
  • IP/USER autoblock
  • Two-Step auth
  • Disable Admin
  • Create non-Admin users
  • Remove Apps
  • Disable services
  • Change/ close ports
Brute Force Attack
MEDIUM

 
  • Enable auto-updates
  • Install Security Advisor
  • Install Antivirus / Set scan schedule
  • Enable Firewall (GEO)
  • Set User access rights (shared folders)
  • Use VPN to connect to your NAS remotely (Norton etc.)
  • Use SSL (HTTPS)
  • Isolate NAS apps
  • Use separate Volumes for storage and OS
Phishing Attack
MAN in the middle
Zero-Day Exploit
HIGH

  • Firewall (IP based)
  • Ubiquiti unify dream machine, pfsense switch
  • Open VPN, quWAN
  • Hide NAS IP via free VPN
  • Isolate smart devices VLAN (plugs,speakers etc)
  • Backup
Targeted attack

1. How to Check and/or Change Your Password

If you use the same password on multiple websites to log in, you risk that your password could be stolen from one of those websites and used to log in to any of your accounts on any other website.

It is humanly impossible to create a strong password that is unique to every account and Still Remember it. So use password generators and save those passwords. One day, when two-step authentication will be required on every system, then weak passwords will not be an issue anymore. And all passwords as you know them will seize to exist.

Protecting ADMIN account with a Very complicated password is the most important thing you have to do. Hackers will be able to access ANYTHING they want on your NAS. If they gained an access to a non-admin user the damage will be very limited.

You can use this random string generated every time you reload this page

Or with Google Chrome browser use an auto generator

QNAP default Admin password is NIC MAC address, maybe you can use a similar method with a strong password printed on sticker

To change a password, log into your QNAP and click on your user name on the top bar. Then select Options.

Click on the tab ‘Password Settings’

If you do not trust Google password wallet, you can store your passwords on an encrypted SSD like datashur. You will need to physically have this USB stick around and it can be accessed only with a pin code.

Something similar to a password is a SSH KEY. Instead of having an 8-character string, you can have an entire document filled with random characters. This is called ssh key. You can keep it on a fingerprint-based memory stick. Simple Lexar USB will do the trick.

You can enable SSH Key login option when you open User settings and click on SSH Keys tab.

 

2. How to Enable IP/Account autoblock

Hackers will usually deploy robots to use all possible combinations and stolen password lists to hack your account. If you enable autoblock this will stop the robot after a certain number of attempts. You can block an IP or the user account. You will find respective tabs when you open Control panel/ Security. IP Access Protection is for IP based blocks and Account Access Protection is for locking the account for everyone not just that IP. Some advanced robots will be using various IP addresses from the zombie computers they have gained access to before.

 

 

3. How to Enable two-step authentication

Two-step authentication means that you will use a code from another device that only you can have access to. This could be SMS code, email code or Authenticator App code. QNAP only allows Authenticator App that you can install on your Android or iPhone.

 

4. How to Disable Admin Account Access

Just like I mention above, ADMIN account has no limits on what it can do. You can create several Admin accounts. All hackers know that the default Admin account is named ‘Admin’, so all they need to do now is try all possible passwords. Simply disabling the main Admin account and creating another one with some unusual name would slow hackers down quite a lot. Slowing down does not mean stopping them. So make sure accessing this account is very difficult, even for you.

 

5. How to Create non-Admin users and tailor their Access

When accessing your NAS on daily bases you should use a non-Admin account that has limited functionality and access to the services and files.

6. Remove Apps you don’t use – How to Check and Change Them

When people get a new NAS they usually are so excited and install every possible app to try it out. But no one removes them nor updates them. More apps you install, more potential attacks you can expect. Each app has its own volnurabilities that gets fixed via regular updates. If you never use half of your apps, why take the risk of potential security holes in any of those apps? Disable or remove apps you don’t use.

7. How to Disable Services that you don’t use

This could include SSH/Telnet that us used for command line access to your NAS. And UPnP / CloudiD firewall hole punching for remote access.

  • Telnet
  • SSH
  • UPnP
  • QNAP CloudiD

You can find all services in QNAP Settings page

Go to app center/ myQNAPcloud to find UPnP and CloudiD settings

 

 

8. How to Close Unused Ports and/or Change ports

Disabling services you don’t use will also close relevant ports. If you do enable services such as SSH, make sure you set a different port. This will confuse and slow hackers down. By default, hackers will test if you have port 22 open before they decide to attack. If ports is changed to 2889, you are less likely to be attacked. The most important ports hackers will use are SSH/Telnet and Ports 80, 443, 8080 and 8443 (HTTP and HTTPS).

 

9. How to Enable auto-updates on your NAS

Every time there is a notification about new updates indicates that hackers have found a new hole in the software. Not always hackers can get into your system because of this software bug. But in certain circumstances, they can. The chances to attack increase dramatically when you have open ports on your router and have no firewall or any malicious traffic prevention tools enabled.

Sometimes NAS is configured in a specific way that an update might disable important features. It is OK not to update these NAS ASAP as long as the system is not exposed to the internet thanks to open ports.

You can enable automatic App updates when you open AppCenter/ Settings/ Update.

You can also enable automatic operating system updates when you open Control Panel/ Firmware Update/ Auto update

10. Make Sure You Install the Security Advisor and Councilor Application!!!

With so many apps and services, it is hard to know what is going on behind the scenes. Security Advisor will run system checks and will alert you if any apps have open ports or have changed configuration that is not safe. You can install it via AppCenter.

You can then choose the level of security you need. The basic level is often all you need for home use. Businesses might go for the Advanced level. Top-level will suggest disabling a lot of features that is not useful for home use.

11. Install Antivirus and Set a Scheduled Scan on Day 1

Security counsellor app will allow you to enable 4 crucial parts of your NAS security.

  • Security Checkup (will scan for configuration weaknesses)
  • Antivirus (scan files for viruses)
  • Malware Remover (Remove any malware found on the system)
  • QuFirewall (limit the access your NAS based on IP, GEO and other rules)

 

By enabling Antivirus, this actually do not do any scans. You need to manually set the scan schedule. Go to Control panel/ Antivirus/Scan Jobs to set it up.

 

12. How to Enable Firewall protection on Your NAS on Day 1

Having a firewall will automatically block anyone if they do not pass tests like location or IP address. Similar to WD NAS, you can choose to have access to the admin panel ONLY when you are physically present inside your business network. Any access attempts to the control panel over the internet will be blocked. You need to open QuFirewall app and select one of these

  • Basic protection (allow your country only to access)
  • Subnets Only (allow only your local network to access)
  • Restricted security (allow access to popular services only)

 

13. How to Set and/or Change User Access Rights

As suggested before, only use non-admin accounts for daily use. Admin account is only meant to be accessed for configuration changes. Make sure that users have no access to other user data. You can create separate shared folders that can be shared. If hackers will manage to gain access to this user account, they can only destroy this user’s data and not others. If the admin account is hacked then all users will lose the data.

You can create a separate shared folder with unique access rights under Control Panel/ Shared Folders. I would have separate shared folders and user names for Multimedia, surveillance and Backups.

You can also specify different volume for each shared folder. This could also protect your data. Last ransomware attacked only volume1. Those with multiple volumes were not as affected. Especially who use volume one for OS and apps only. You can also encrypt shared folder. If someone steals your NAS, they can not see any data in this folder.

 

14. Use VPN to connect to your NAS (Norton etc.)

Never connect to your NAS via free WiFi. If you have to, use VON on your phone or computer. This will create a private network between your laptop and VPN server. No one in this free WiFi network will be able to see what you are doing. What data you are sending or receiving.

https://us.norton.com/products/norton-secure-vpn

 

15. Install an SSL (HTTPS) Certificate for Encrypted Access

If you do not have VPN installed on your laptop and you are for some reason connected to free wifi or work wifi that you do not trust, always make sure you use HTTPS in the URL. This will encrypt any user names, passwords and any other data you fill in boxes on any website. Same applies to the URL when visiting NAS applications. If for some reason it has no HTTPS/ SSL/ TLS encryption enabled, you can install a new certificate in Control Panel/ Security/ SSL & private Key tab.

 

16. How to Separate and Isolate NAS Applications

If there is a security hole within an app like Video Station, hackers will damage as much data as possible using the username from this app. If an app is using Admin-level access rights, hackers can not only damage this app but also gain access to anything else on your NAS. With Synology, you will notice that for example, Plex app has its own username and shared folder created automatically. This user has no other access. The worst hackers can do is delete or enjoy your movie collection. On QNAP you will need to create a Video user manually. Then you go to settings and allow only this user within the app. No admin.

Control panel/ multimedia console/ video station permission settings is the place to configure this. Similar steps apply to other apps.

If you go to Control panel/ user groups and click the last icon (application privilege), you can choose which apps user can have access to.

17. How to Separate Volume for Storage and the OS Installation/Storage

If you have separate volumes, this might save you from lazy hackers. In the last ransomware attack, they only targeted volume1. This saved a lot of people’s data.

You can create volumes under Storage & Snapshots / Create

 

 

18. Hide NAS IP with VPN

You can install VPN on your router or NAS. This way, no one knows what your real IP address is. This can prevent targeted attacks. Nord VPN will change your IP every 5 minutes. This is the average time hackers will need to scan through every single port on your network. So if they find open ports or vulnerabilities, it is too late. You now have a different identity. Do this only with trusted VPN service providers. At the end of the day, when you connect to any VPN server/proxy, you do not know who else is connected to that VPN.

I would use a separate MR2200ac router connected to my main router. All unsafe devices like smart plugs, light bulbs and other similar devices would connect to this individual WiFi network. These smart devices if hacked would have no access to your NAS and other important devices with sensitive data.

 

If you have Synology  router with SMR 1.3 you can avoid setting this up on your NAS itself

To use your Synology Router as a VPN client, go to Network Center > Internet > Connection > Primary Interface > VPN settings to modify the settings.

 

 

19. Alternatively, How to Use Open VPN, TeamViewer, nConnect , quWAN

You can create a VPN server on your NAS. You can then connect to your NAS via a computer client using this encrypted tunnel.

https://www.QNAP.com/en/how-to/tutorial/article/how-to-set-up-and-use-qvpn

If you own QNAP smart switches and you want to link your office with your home, use quWAN. This will link these two networks together. This will give a feeling that you NAS and other network devices are actually in the same room.

Here is some more info https://www.QNAP.com/en-uk/software/quwan

Here is a video on how to set this up.

You can also achieve similar results with two MR2200AC routers (priced at around $100 each).

20. How to Isolate smart devices VLAN (plugs, speakers etc)

This allows you to create an invisible fence in your existing network. You can connect all devices using LAN ports on your switches/router. In the management portal you can select which LAN ports can or can not tlk to each other. So this way you can connect your NAS, computer and other important devices on VLAN1 and less trustworthy devices such as smart home system and speakers on VLAN2. Even though you ports on the router are closed, these smart devices are allowed to open doors from inside. Similar to your computer. You can only received data back after your computer have sent a request to some destination. This opens a private hole in your network for this transaction. Who knows how safe those cheap smart home devices are.

Here are some cheapest devices that support VLAN

NETGEAR GS305E and MR2200ac

21. Ubiquiti unify dream machine, pfsense, Synology switch with an intrusion system

As I mentioned in the paragraph above, your devices in your local network are opening and closing holes in your network every second. If your computer has a malware infection, it will be opening ports and sending your private data to hackers. You will notice your computer being slower than usual. I would recommend going to the system monitor and checking the resources consuming most of the CPU, running time etc. Then research what is service name is about. Also, go through installed apps and see if there is something you don’t recognise. And install Antivirus and scan the system when you notice unusual activity.

If you purchase DreamMachine router, pfsense or Synology router, you will get an intrusion system built in. This will scan all your internal network devices. What ports they are opening and where data is being sent. This traffic will be compared against databases that daily update IP lists from hackers etc. These routers will also block traffic from unknown devices that run a suspiciously high number of requests.

Here are a few DreamMachine, pfsense and Synology routers/switches.

22. Firewall (IP based)

 

 

23. Backup, Backup, BACKUP!!!! Set up a QNAP NAS 3-2-1 Backup Routine

The last and most overlooked thing to do is a backup. It is not IF, but WHEN your NAS will be attacked, stolen or broken. Runing automated backups nowadays is easy. You can even make an agreement with a friend that you back up each others NAS. One reserves some space on their NAS for you, and you do the same for them. Every night or hour your data will be encrypted and stored there. Only you can access it.

We covered pretty much ALL the ways you can backup your QNAP NAS in this video below:

Quick Setup – How to secure your Network?

  1. Secure your router
    1. Check open ports and close unnecessary ports
    2. Enable firewall
    3. disable ping response
    4. disable port forwarding [if there is no firewall and other measures in place]
    5. disable router remote management option
    6. Use WPA2 or newer WiFi mode and make sure the password is strong
    7. Guest WiFi (private)
    8. Use VPN
    9. Enable automated updates
    10. VLAN (smart devices)
    11. An intrusion detection system (Synology)
  2. Redesign your internal network
    1. Keep your network devices under different network segments
    2. Use switches with built-in firewalls and filters [Ubiquiti UniFi Dream Machine or unifi software]
    3. Add physical firewall [pfsense] https://shop.netgate.com/products/1100-pfsense

 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,377 other subscribers

Get an alert every time something gets added to this specific article!


Want to follow specific category? 📧 Subscribe

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7]     Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

Synology NAS Setup Guide 2022 – Setup, Users, Updates, Remote Access and Security Settings

5 septembre 2022 à 01:10

DSM 7 Installation Guide – Setting Your Synology NAS Up Right – FIRST TIME!

If you have purchased your new Synology NAS (or it is soon to be arriving and you want to be prepared to set it up), then congratulations! You are on your way to enjoying your very own private storage solution that can allow you to access your data in your home, business or remotely anywhere in the world. However, it is worth noting that although a lot of the setup of a Synology NAS is quite straightforward, there are a number of early choices during the initial installation that, if made incorrectly or in haste, cannot be reversed without restoring the system to factory settings. Therefore it is understandable that when setting up your Synology NAS for the first time, that you want to get it right the first time too! So today I want to start my 5 part series here on NASCompares where I will be guiding yoU through setting up your Synology as smoothly as possible. This guide has been made using a number of setup elements from Synology’s own resources, along with my own recommendations on your setup and links to more unique tutorials you may find helpful. In part 1, we will be going through setting the NAS up physically, initializing the DSM 7 software and services, creating a storage area, multiple users, customizing the security settings to your needs and establishing safe remote access to your Synology NAS. The following guide (part one at least) should take you a little under over 30 minutes to do EVERYTHING, with the remaining parts being a little more optional and centred around more user-specific applications and services. If you would prefer to follow the video guide on this, I have released a 9 Part video guide series for Synology NAS in 2022 available below. Otherwise, let’s get started on setting up your Synology NAS.

Here are the 9 Parts of the Synology Video Guide Series

Synology NAS Setup Guide 2021/2022 Part I – 2021/2022 – DSM 7 – RAID – VOLUMES – SHARES – MAPPED DRIVES

Synology NAS Setup Guide 2022 #2 – Snapshots, NAS to NAS/CLOUD/USB, SaaS Backups & Sync

Synology NAS Setup Guide 2022 #3 – Photography, Indexing, Sharing & Moving from Google

Synology NAS Setup Guide 2022 #4 – Music Audio, Indexing, Sharing and Streaming over DLNA

Synology NAS Setup Guide 2022 #5 – Video Station, Stream to Fire TV, DLNA and Indexing TV/Films

Synology NAS Setup Guide 2022 #6 – Setting Up Plex Media Server Right First Time

Synology NAS Setup Guide 2022 #7 – Setting Up Surveillance Station, Cameras, Control and Alert

Synology NAS Setup Guide 2022 #8 – Setting Up an iSCSI Target and a Storage LUN

What you will need when setting up your Synology NAS the first time.

  • A Synology NAS (duh!)
  • An active internet connection and Router/Modem (not essential, but will make initial setup and firmware 10x easier)
  • Access to a Router or Switch that is also accessible with a client computer/mobile device
  • An available mains power outlet

That is all you need for Part 1 of this guide. Let’s begin.

Physical Installation of a Synology NAS

Physical Installation of the hard drives or SSD into the Synology NAS is very, very easy and is completely toolless (for Hard drives, SSD require you to use 4 screws for each that are in the accessories box). Once you have unboxed all the accessories, you need to remove the trays (all of them, or as many as you need for your hard drives).

Then each tray has removable clips on either side. Once removed, you can slot the hard drive into the tray, with the connector facing out and the manufacturer label facing up.

Then put the clips back, ensuring the 4 plugs are inserted into the holes on the drive. Then just slide each tray+drive back into the NAS. Once this is done, connect the power brick into the rear of the NAS and then the mains power lead into the power brick and the wall socket.

Finally, you need to connect the network LAN cable into the network port on the rear of the NAS and connect the other end to your router, modem or switch (in simple speak, the box your internet service provider have you or the box the other internet things are connected to. You can now click the power button on the front of the NAS and you will hear a beep and the device will take around 2-3mins to initialise. If you are having difficulty with the physical installation of your Synology NAS, you can use the first part of the video below, where I will show you each step of the physical installation and then move on to the DSM 7 setup with the Synology Assistant and Web GUI via your browser.

The Synology NAS runs on its very own operating system, known as Diskstation Manager (DSM) and this is what separates it from most traditional USB direct-attached storage (DAS) and network drives that are just brainless storage. DSM allows users to run hundreds of applications, each with their own user interface (UI) on the NAS, that they can access on desktop computers, mobile devices and media devices. After you have installed hard drives and booted the device up, and found the device in your network (using the free Synology Assistant application for PC/Mac or DS Finder mobile app) you will be asked to proceed with the Synology DSM installation.

Install DSM 7 using a desktop Web Browser with the Web Assistant

Your Synology NAS comes with a built-in tool, Web Assistant, which helps you download the latest version of DSM from the Internet and install it on your Synology NAS. To use Web Assistant, follow the steps below:
1. Power on your Synology NAS.
2. Open a web browser on a computer within the same network where your Synology NAS is located, and go to “find.synology.com”. The status of your NAS should be Not installed.
3. Select your Synology NAS and click Connect on Web Assistant.
4. Click Install to start the installation process and follow the on-screen instructions

• Both your Synology NAS and computer must be on the same local network.
• We suggest using Chrome or Firefox as the browser for DSM installation.
• For more information on the setup of Synology NAS and DSM, please refer to the Hardware Installation Guide for your Synology NAS models available via Synology’s Download Center

Install DSM 7 with Your Mobile with the DS finder Application

You can also install DS finder (App Store/Google Play Store) on your mobile device to install DSM as demonstrated below:
1. Power on your Synology NAS.
2. Connect your mobile device to the local network where your Synology NAS is located, and launch DS finder.
3. Tap SET UP NEW NAS to start the setup process.
4. Follow the on-screen instructions to establish the connection between your mobile device and Synology NAS, and tap SEARCH. DS finder will search for your Synology NAS. The status of your NAS should be Not installed.
5. Select your Synology NAS and tap INSTALL to start the installation process and follow the onscreen instructions.

Notes:
• We take Android 10 as an example in this chapter. The actual steps may vary across OS versions and devices.
• Both your Synology NAS and mobile device must be on the same local network.
• DS finder can only run on Android and iOS devices.
• DS finder supports installing DSM on most Synology NAS models (except rack-mount models and desktop models of FS/XS series).

How to Configure storage space on your Synology NAS with the Storage Manager

This section guides you through the steps of storage pool creation using the built-in package, Storage Manager. When it’s your first time launching Storage Manager, Storage Creation Wizard will help you create and configure storage pools and volumes. A storage pool is a single storage unit consisting of multiple drives. A volume is a storage space created on a storage pool. You have to create at least one volume to store data on your Synology NAS.

How to Create a Storage pool and Volume

  1. Launch Storage Manager in the Main Menu. Storage Creation Wizard will pop up to lead you through the steps below
  2. Choose a RAID type to protect your storage. Some RAID types are available on certain models according to the number of drive bays. To know which RAID type is proper for your storage pool, you can refer to the Understand RAID types section or this article.
  3. Deploy drives to constitute the storage pool.
  4. Allocate the volume capacity.
  5. Select a file system. We recommend Btrfs for its data protection features. To learn more about the differences between Btrfs and ext4, you can refer to this article

Btrfs – Supports various data protection features, e.g., snapshot, replication, point-in-time recovery, and data integrity check.

ext4 – Features wide compatibility with Linux operating systems. It has fewer hardware requirements than Btrfs.

  1. Confirm the settings. The system will automatically run the storage creation and optimization process in the background.

How to Access and Navigate the Synology DSM 7 GUI

After installing DSM on your Synology NAS, you can sign in to DSM using the DSM user account you have just added during the first-time installation. Follow the steps below to sign in via a web browser:
1. Make sure your computer and Synology NAS are connected to the same local network.
2. Open a browser on your computer and enter one of the following in the address bar:

• find.synology.com: Enter this URL only if your computer and Synology NAS are connected to the same local area network.
• IP address of your NAS:5000: If the IP address of your Synology NAS is “192.168.48.14”, type “192.168.48.14:5000”. The IP address depends on the settings made during the initial setup

  1. Enter your username and click the rightward arrow.
  2. Enter your password and click the rightward arrow again to sign in.

Key Navigation Options Options, A Brief Overview

The DSM Browser-Based Desktop GUI

After signing in, you can see the DSM desktop, where your application and package windows are displayed. You can also create desktop shortcuts to frequently used applications. why are you copying me!

The DSM 7 Tasks, Activity & Notification Panel

The taskbar is located at the top of the screen and includes the following items:why are you copying me!

1. Show Desktop: Minimize all launched applications and packages windows.
2. Main Menu: Click the icon to view and open applications and add-on packages. You can also click and drag to create desktop shortcuts.
3. Open applications: Displays currently launched applications and packages. You can right-click and pin the applications or packages to the taskbar for faster access in the future.

4. Upload Queue: Appears when you start uploading files to your Synology NAS. Click the icon to see more details, such as progress and upload speed.why are you copying me!
5. External Devices: This appears when an external device (e.g., a USB flash drive) is attached to your Synology NAS.
6. Notifications: Displays notifications, such as errors, status updates, and package installation notifications.why are you copying me!
7. Options: Click the menu to shut down, restart, or sign out of your Synology NAS. You can also select Personal from the menu to modify personal account settings.
8. Widgets: Show or hide widgets. Widgets are located on the right side of DSM desktop by default, displaying various types of system information, such as storage, system health, etc.
9. Search: Quickly find specific applications, packages, or DSM Help articles.

The DSM Appliations & Services via the Main Menu

You can find a list of applications and packages installed on your Synology NAS here. To create a desktop shortcut, open Main Menu, and click and drag an application or package to the side.

How to Change Personal Settings in DSM 7

You can select the Personal option from the drop-down menu to manage your account settings, such as the password, display language, sign-in methods, and display preferences. The following gives you an overview of tabs under this option:

• Account: Edit account settings, enable advanced sign-in methods, and view recent login activities of your DSM account (refer to this article for more information).
• Display Preferences: Edit date and time formats as well as the appearance of your desktop (refer to this article for more information).
• Email Delivery: Add your email accounts at this tab. These email accounts are used in the following scenarios (refer to this article for more information):
• Deliver files stored in File Station as attachments.
• Send event invitation emails via Synology Calendar.
• Send notification emails when sharing files with others via Synology Drive.
• Quota: View your quota on all volumes set by the administrator’s account, as well as the amount of capacity you have used on each volume. On models with Btrfs support, you can also view the quota and capacity usage of each shared folder.
• Others: Customize other personal account options (refer to this article for more information)

How and Why to Create a shared folder to start sharing files in DSM 7

Through the setup of a shared folder, you can turn your Synology NAS into a convenient and secure file-sharing center. This section explains the role of shared folders on DSM and gives you instructions on file management using File Station and DS file. Understand shared folders A shared folder is a home directory where you can store and manage files and subfolders. You must have at least one shared folder to store files on your Synology NAS. Data stored in shared folders can be kept private or shared with specific users or groups based on custom permission settings. Some packages or services require a dedicated shared folder to ensure functionality (most will create a folder automatically). Removing any shared folder removes all the data and their snapshots within the folder. If you need the data, please back them up first before the removal.

How to Navigate, Manage and Access Files in the DSM 7 Web-Based GUI

File Station is a built-in file management tool on DSM. File Station provides a centralized interface where you can access and manage files and folders with web browsers and grant other users access to files based on the permissions you set. This section guides you through the steps of file management via File Station. Launch File Station and click Settings. You can perform the following actions here:

• Configure general settings.
• Mount shared folders, virtual drives, servers, and cloud service.
• Allow specific users to share file links or make a request for file access.
• Set speed limits for file transfer via File Station.
• Enable converting HTML files to plain text for security reasons.

Search for files or folders. File Station provides regular search and advanced search to meet different requirements:
• To perform a regular search, click the folder where the desired files or folders are located. Type a keyword in the Search field.
• To perform an advanced search, go to the folder where the desired files or folders are located. Click the magnifying glass icon next to the Search field to expand the advanced search menu, where you can set multiple search conditions for a refined search result.

How to Manage files and folders Easily in DSM 7

Select a file or folder and click Action or simply right-click it to perform the following actions:
• To send a file as email attachments: Right-click a file and select Send as email attachments. You can directly send and share files as email attachments in File Station once you have set up email delivery settings in the pop-up Personal window.
• To view or rotate pictures: Double-click a picture to open it in a viewer window, where you can view and rotate pictures.
• To edit the access permissions: Right-click a file or folder and select Properties. You can edit access permissions at the Permission tab.
• To generate file-sharing links: Right-click a file or folder and select Share. A shared link will be automatically generated. You can further specify validity periods or enable secure sharing.

How to Create local Users and Groups in DSM 7

You can grant family members or business associates access to Synology NAS by creating user accounts for them. For the ease of administration, you can create groups to categorize users and manage them together. This section guides you through how to create users and groups in Control Panel.

How to Create a User in DSM 7

  1. Go to Control Panel > User & Group > User.
  2. Click Create to launch User Creation Wizard.
  3. On the Enter user information page, enter the following user information:

• Name
• Description (Optional)
• Email (Optional): Enter the user’s email address. System notifications, such as password reset messages, will be sent to the address specified here.
• Password
• Confirm password

  1. On the same page, configure the following advanced settings that will be applied to the
    user:

• Send a notification mail to the newly created user: You have to enable email notifications in Control Panel > Notification > Email to allow the system to send emails. If you have not yet set up notification settings, a confirmation dialog box will pop up and lead you to the setup page when you tick this checkbox. For more information on the notification settings, please refer to the Manage notifications section.
• Display user password in notification mail
• Disallow the user to change account password
• Password is always valid: You will not see this option If Password Expiration at the Advanced tab is not enabled. This option makes this user’s password always valid and the rules of Password Expiration will not be applied to this user.
5. On the Join groups page, specify the groups to which the new user should belong. The default groups are administrators, http, and users. Please refer to the Create a group section to customize groups.
6. On the Assign shared folders permissions page, choose which shared folders the user can access. When the user permissions conflict with group permissions, the privilege priority is as follows: No access > Read/Write > Read only. The Preview column displays the access privileges that will take effect.
7. On the Assign user quota page, you can specify the maximum amount of space the user can use for each volume/shared folder. Enter a value and select the size unit in the User Quota
field.

  1. On the Assign application permissions page, you can control which services the user can access. When the user permissions conflict with group permissions, the Deny permission always has priority over the Allow permission.
  2. On the Set user speed limit page, you can enable a speed limit for different services (e.g., File Station, FTP, rsync, etc.) to restrict the amount of bandwidth consumed by the user when transferring files. For each service, you can select one of the following:

• Apply group settings: If the user belongs to multiple groups, the group with a higher speed limit has priority over other ones.
• Set up speed cap: Specify upload and download speed limits in the fields to the right.
• Advanced settings: Two customized speed limits and the group limit can be applied to the user according to the schedule you set. You can modify the speed limit settings and set the schedule in the pop-up window.
10. On the Confirm settings page, check and confirm the setting summary.
11. Click Done to finish the settings.

How to Create a User Create a group

  1. Go to Control Panel > User & Group > Group.
  2. Click Create to launch Group Creation Wizard.
  3. On the Enter group information page, enter a group name.
  4. On the Select member’s page, add target users to the group.
  5. On the Assign shared folder permissions page, specify group members’ permissions to each shared folder.
  6. On the Assign group quota page, you can enable the usage quota for each service to control how much storage can be used by each group member.
  7. On the Assign application permissions page, you can control which services group members can access.
  8. On the Set group speed limit page, you can enable a speed limit for different services (e.g., File Station, FTP, Rsync, etc.) to restrict the amount of bandwidth consumed by each group member when transferring files. For each service, you can select one of the following:

• Set up speed cap: Specify upload and download speed limits in the fields to the right.
• Advanced settings: Two customized speed limits and no limits can be applied according to the schedule you set. You can modify the speed limit settings and set the schedule in the pop-up window.

  1. On the Confirm Settings page, check and confirm the setting summary.
  2. Click Done to finish the settings.

Creating a Synology Account for Remote Access & Managing Services

As an owner of Synology NAS, you should have a Synology Account to access Synology online services and manage your customer information. Different from DSM user accounts, which can be used to sign in to DSM, a Synology Account allows you to manage your billing information, registered Synology products, requests for technical support, and Synology online services (e.g., QuickConnect, DDNS, and Synology C2). For more information on the differences between Synology Accounts and DSM user accounts, please refer to this article.

Sign up for a Synology Account and bind your Synology NAS during DSM installation or by following the steps below:
1. Go to this website.
2. Complete the form and click Next. Then, follow the on-screen instructions to create a Synology Account

  1. Go to the email box you have entered, and click the email titled Synology Account – sign up (sent from “[email protected]”) to get your verification code.
  2. Enter the verification code and click Next.
  3. Check the terms and privacy policy. Click Submit.
  4. Go to Control Panel > Synology Account, and click Sign in or sign up for a Synology Account.

  1. In the pop-up window, enter the credentials of your Synology Account and click Sign In.
  2. Now you have successfully registered for a Synology Account and bound your NAS to it

Creating and Editing Your QuickConnect ID

QuickConnect allows client applications to connect to your Synology NAS via the Internet without setting up port forwarding rules. It can work with Synology-developed packages, such as Audio Station, Video Station, Download Station, Surveillance Station, Synology Photos, File Station, Note Station, CMS, Synology Drive, and mobile applications. You can either specify your QuickConnect ID during DSM installation, or activate the service by following the steps below:
1. Go to Control Panel > External Access > QuickConnect.
2. Tick the Enable QuickConnect checkbox

  1. If you have not signed in to your Synology Account, a login window will pop up. Enter your existing Synology Account information or create a new account in the window.
  2. Specify a new QuickConnect ID.
  3. Click Apply.

Notes:
• A customized QuickConnect ID can only include English letters, numbers, and dashes (-). It must start with a letter, and cannot end with a dash.

How to Configure & Increase Network Access Security

Once your Synology NAS is connected to the Internet, it is crucial to ensure system security. This section provides you four methods to strengthen the security of your DSM. Configuring a Firewall, utilizing the Security Advisor, Activating 2-Step Authentication and Enabling auto block, Account Protection, and DoS protection.

How to Activate the Firewall

  1. Go to Control Panel > Security > Firewall.
  2. Tick Enable firewall and click Apply. The default firewall profile will be applied to your DSM.

Utilizing the Security Advisor

Security Advisor is a built-in application that scans your Synology NAS, checks your DSM settings, and provides advice on how to address security weaknesses. Keep your Synology NAS secure by following the steps below:

Scan your Synology NAS immediately
1. Go to Security Advisor > Overview.
2. Click Scan.

  1. Fix the security weaknesses according to the scanning results.

Set up an automatic scan schedule
1. Go to Security Advisor > Advanced.
2. Tick Enable regular scan schedule under the Scan Schedule section. Select the time to run scanning from the drop-down menus.

  1. Click Apply to save the settings.

How to Activate 2-factor authentication

2-factor authentication provides additional security for your DSM account. Once this option is enabled, you will need to enter a one-time authentication code besides your password when signing in to DSM. The code can be obtained through authenticator apps (e.g., Synology Secure SignIn and Google Authenticator) installed on your mobile device.

To enable 2-factor authentication for your account, please follow the steps below:
• Go to Personal > Account and click 2-Factor Authentication to launch the setup wizard. Enter your password to continue.

• If Secure SignIn Service is already enabled in Control Panel > Security > Account, select from either Approve sign-in, hardware security key, or OTP for the second sign-in step.
• If Secure SignIn Service has not been enabled, OTP is the only available option for the second sign-in step.

How to Enable auto block, Account Protection, and DoS protection

You can safeguard DSM through these three mechanisms: autoblock, Account Protection, and DoS protection.

Autoblock unauthorized access

  1. Go to Control Panel > Security > Protection > Auto Block.
  2. Tick Enable autoblock.
  3. Enter a value in the Login attempts field and a value in the Within (minutes) field. An IP address shall be blocked when it exceeds the number of failed login attempts within the specified duration.
  4. Tick Enable block expiration and enter a value in the Unblock after (days) field to unlock a blocked IP address after the specified number of days.
  5. Click Apply to save the settings.

Enable Account Protection to prevent login attacks

  1. Go to Control Panel > Security > Account > Account Protection.
  2. Tick Enable Account Protection.
  3. Enter a value in the Login attempts field and a value in the Within (minutes) field. An untrusted client will be blocked if it exceeds the number of failed login attempts within the specified duration.
  4. For Untrusted clients, enter a value in the Cancel account protection (minutes later) field. The account protection will be cancelled after the specified duration.
  5. For Trusted clients, enter a value in the Unblock (minutes later) field. The account protection will be cancelled after the specified duration.
  6. Click Apply to save the settings

Setting up Defence against DoS attacks

A Denial-of-Service (DoS) attack is a malicious attempt to render network services unavailable by disrupting service functionality. To avoid this type of cyberattack, follow the steps below:
1. Go to Control Panel > Security > Protection > Denial of Service (DoS) Protection.
2. Tick Enable Dos Protection and click Apply

How to Ensure your Synology NAS & DSM 7 is Constantly updated

Synology releases DSM updates from time to time. Updates may include new features function improvements and performance enhancements. This section guides you through the configuration of DSM updates. Perform manual DSM update
1. Go to Synology’s Download Center.
2. Select your model from the two drop-down menus.
3. Go to the Operating System tab of search results and download an update file.
4. Go to DSM > Control Panel > Update & Restore > DSM Update.
5. Click Manual DSM Update.

  1. In the pop-up window, click Browse to upload the file

  1. Click OK and wait for the file to be uploaded.
  2. After reading through the update information and ticking the confirmation checkbox, click Update.
  3. Click Yes in the confirmation box. The installation can take 20 to 40 minutes. Please do not shut down the system during the update.
  4. The system will restart all services and packages when the update is complete.

How to Setup the NAS to Automatically Install DSM 7 Updates

  1. Go to DSM > Control Panel > Update & Restore > DSM Update.
  2. Click Update Settings.
  3. In the pop-up window, you can configure the following settings to check for DSM releases via Synology’s Download Center.

• Automatically install important updates that fixed critical security issues and bugs (Recommended): Allow the system to automatically install important DSM updates. To ensure that your system is always protected, we recommend enabling this option.
• Automatically install the latest update: Allow the system to automatically install new DSM updates when the system check finds new updates available.
• Notify me and let me decide whether to install the new update: Have the system notify you via desktop notifications when there is a new DSM update available. You can choose whether to download the update after receiving the notification.

• Check schedule: Decide when the system should check for available updates. Specify the check time from the drop-down menus.

• An automatic update only applies to minor updates and not to major updates. Generally, minor updates consist of bug fixes and security patches, major updates include brand-new features and performance enhancement in addition to bug fixes and security patches, and important updates contain fixes for critical security issues or bugs. For more information about important updates, please refer to this article.

 

 

📧 LET ME KNOW ABOUT NEW POSTS 🔔

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,258 other subscribers

Get an alert every time something gets added to this specific article!


Want to follow specific category? 📧 Subscribe

This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7]     Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  
❌