Security Is Not a Dirty Word: Unraid & Windows 10 SMB Setup


Recommended Posts

The attachment in this post is a joint effort between @Batter Pudding and myself. @Batter Pudding supplied much of the technical part of the Attached Document and I provide most of the background information.
 

What we are attempting to do is to show that it is easy to actually use Unraid with all of the security features that Microsoft has incorporated into Windows 10. What many of us have been doing (myself included) is to reverse those enhancements to security and use our Unraid network in what is basically a 2010 security environment.
 

@limetechhas announced in the release thread for version 6.9.2 that they are about to increase security on Unraid in future releases. 

Quote

 

Unraid OS has come a long way since originally conceived as a simple home NAS on a trusted LAN. It used to be that all protocols/shares/etc were by default "open" or "enabled" or "public" and if someone was interested in locking things down they would go do so on case-by-case basis. In addition, it wasn't so hard to tell users what to do because there wasn't that many things that had to be done. Let's call this approach convenience over security.
 

Now, we are a more sophisticated NAS, application and VM platform. I think it's obvious we need to take the opposite approach: security over convenience. What we have to do is lock everything down by default, and then instruct users how to unlock things.


For example:

  • Force user to define a root password upon first webGUI access.
  • Make all shares not exported by default.
  • Disable SMBv1, ssh, telnet, ftp, nfs by default (some are already disabled by default).
  • Provide UI for ssh that lets them upload a public key and checkbox to enable keyboard password authentication.
  • etc.

 

 

Unfortunately, this list is going to impact a lot of current Unraid users as many have setup their Unraid servers and networking to use these very features. Each user will have two choices. Either embrace security or spend time to undo each new security addition that either LimeTech or MS adds in their updates. If you decide to continue to bypass security, just realize that the number of folks prepared to assist you with any problems doing this will probably decline as more folks adopt increased security as a necessity.

 

In some cases, this is going to present some difficult decisions. For example, I have an old Netgear NTV-550 set top media player (last firmware/software update was in early 2011) that only supports SMBv1 or NFS.  Do I open up a security hole to use a well-functioning piece of equipment or do I replace it?  (The choice, obviously, is one that only I can make...)
 

Two Important things!

  • Do not post up any problems that you have with networking between Windows 10 and Unraid in this thread! Start a new thread in the General Support forum.
  • Please don’t tell us that there is another way to do something and that we should change our recommendation to employ that method. If you feel you have a better way, you are encouraged to write it up in detail and post it in this thread pointing out the advantages of your way. (One well regarded Windows 10 networking book has over 400 pages in it. Our document is 16 pages long…)

 

Unraid & Windows 10 SMB Setup.pdf

  • Like 13
  • Thanks 4
Link to comment
Posted (edited)

During one of our Private Message discussions, @Batter Pudding suggested that ‘Short Sheets’ of the steps involved in each procedure could be beneficial. I know that when I am doing any multi-step procedure, I like have have a printout of the procedure and check off each step as I complete it. The attachments to this posting are the short sheets for each procedure in the document in the first post.


 

How To #1-Advance Network Settings.pdf How to #2-Fixing the Windows Explorer Issue.pdf How to #3– Turning Off “SMB 1.0_CIFS File Sharing Support”.pdf How to #4-Adding a SMB User to Unraid.pdf How to #5-Adding a Windows Credential.pdf

Edited by Frank1940
  • Like 4
  • Thanks 4
Link to comment
  • trurl pinned this topic
  • 4 weeks later...

Thank you so much for the complete set of instructions!  Highlighting the difference between accessing the UnRAID server from the Network icon from the Explorer left side panel vs. directly typing in \\SERVER in the location bar was the epiphany for me.  The former does not work and the latter does.  Thank you so much!!

 

With UnRAID public and private access working, I wonder if there is a way to map the UnRAID server to Explorer either as a drive or as a Network Location.  For example, if my UnRAID server is called \\SERVER, would it be possible to map that "top" path as a Network Location so that when I click on it, I see all my UnRAID shares?  I can access it via the shortcut method described in the document, but having it in Explorer will be easier.  Thanks!

 

hmmm....as an update, it seems after waiting a few minutes, the left panel Network icon access now works.  I can see all my UnRAID shares when I click on my UnRAID server and I can access both public and private shares.  I thought this was an SMB 1.0 feature which I had turned off per the document. 

 

Guess I'm confused again....but at least it all works now!!

Edited by Hammer8
  • Like 1
Link to comment
23 hours ago, Hammer8 said:

hmmm....as an update, it seems after waiting a few minutes, the left panel Network icon access now works.  I can see all my UnRAID shares when I click on my UnRAID server and I can access both public and private shares.  I thought this was an SMB 1.0 feature which I had turned off per the document. 

 

I have noticed that too.  I suspect that is is being caused by the fact that SMBv1 is not turned off (yet) on the Unraid servers.  (Contributing may that the fact that Network Discovery is on on Windows...)   I do think that I know how to turn off SMBv1 on the server but I am waiting to see exactly how LimeTech is going to be handling this when they release 6.10.0...

 

By the way, I did try to add a network location that pointed directly to my Unraid server as you indicated that you wanted.  It said that this was not allowed and I would have to point it directly to one of the shares on that server.   (I suspect that this is a security issue.  Much the same as you are not allowed to map a physical  Windows Drive (like C:\) as a share from your Windows PC--  you must pick a folder or sub-folder.)

Link to comment
3 hours ago, Frank1940 said:

I suspect that is is being caused by the fact that SMBv1 is not turned off (yet) on the Unraid servers.

 

You can disable SMBv1 in Unraid by going to Settings -> SMB Settings and setting Enable NetBIOS to No. Perhaps Network Discovery is happening through WSD

 

image.png

 

 

  • Like 1
Link to comment
14 hours ago, ljm42 said:

 

You can disable SMBv1 in Unraid by going to Settings -> SMB Settings and setting Enable NetBIOS to No. Perhaps Network Discovery is happening through WSD

 

image.png

 

 

 

2 hours ago, Hammer8 said:

I'm not sure if SMBv1 is on in my UnRAID server...I have this on my SMB extra settings box:  min protocol = SMB2

 

This is why I am hoping that these type of discussions could wait until LimeTech has implemented their security enhancements on the Unraid side in 6.10.0.  @ljm42 is showing one approach (which LimeTech might build on) and @Hammer8 is showing another one.  ( @Hammer8--- Yes, you have turned off SMBv1 with this entry in the smb-extra.conf file.  However, you could also have it enabled with the setting that @ljm42 showed but the entry in the file will cancel that!)   Otherwise, I am afraid that we could end up in a situation like exists in Windows where there are more than than one way to accomplish the same thing.   Hopefully, then we can hold discussions, come to a consensus as to what user controls are needed, and a system which have a single interface to control SMB security level to meet the needs of each individual  user.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.