July 25, 20223 yr Good Afternoon All, I am trying to understand SMB security, as I am retiring a server and am going to build a new one in a few weeks. To be honest I never touched SMB Security because as most here I followed videos and shares were mostly created as Public and I left it that way. I am the only one that does any admin work on my servers, no one has access other than to watch Emby, or Plex. With that being said then all of my shares should be Private then correct? OR do I need some to be Public for Apps to use them? Allow me to clarify. If I have a Downloads share should that be private or does it have to be public so that apps like Sonarr or Radarr to work properly? I never gave it much thought as I always had password to login, but after reading about attacks on UNRaid users it got me thinking, and here I am asking those smarter than me to help me understand exactly how it works. I did read several threads here but for some reason it just wasn't clicking. (I didn't get that aha moment yet) Thanks for the help, in advance.
July 25, 20223 yr Community Expert Programs running on the server don't even need things to be shared via SMB. SMB and its users config is only about who you want allowed to access at all/read/write to from network shares.
July 25, 20223 yr Author @Kilrah, thank you so much for taking the time to explain that to me, I just got the aha moment. lol. So at the very least everything should be read-only then as opposed to just Public then correct?
July 25, 20223 yr Community Expert Since this is only accessible within your network... I guess it depends whether you trust people who can access it?
July 25, 20223 yr Author Well since I know that it only applies to people on the network I was thinking of the UnRaid Server Security Best Practices I read. Here's a snippet of the article; Restrict Share Access Use Read-Only shares whenever possible! Create other Users on your Unraid server and set the appropriate share access for each user. If particular users don't need write access, make them read-only. That's why I figured at the very least most everything should be read-only.
July 25, 20223 yr Community Expert 5 hours ago, Kilrah said: I guess it depends whether you trust people who can access it? Trust is a strong word and implies that someone will knowingly do something malicious. There is also the problem of people who are completely trustworthy but not technically competent doing some action that will cause data loss. There is further problem that a piece of malware could be installed on a client computer that could do damage to server files if they are writable! (First rule for data security, no client should have write access to a share unless that client has viable need for it!) @gyrene2083, I might suggest that you look at this thread if you want to secure your server's data: https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup PS--- I have both my servers setup so that I do not have read write access to any share. If I have to do file maintenance, I either temporary chage the default of do via a Docker of the terminal. I even have a way to add files to server without changing the access privileges! (If you want to know about this, inquire...) Edited July 26, 20223 yr by Frank1940 used wrong word--see strikeout in last paragraph
July 25, 20223 yr Community Expert All depends what the purpose of the share is. Obviously as a start only enable SMB on the shares that it makes sense accessing through the network, probably not many of them on a typical setup. My "isos" share is public, that way I can drop an iso to install from without bothering to login, and nothing on there is of value. I have a public share that's similarly meant to just drop something on to grab it back from another machine, again only temporary use. The ones holding important files that need to be accessible from the network have a user/pass with read/write access. Media has "Secure" so anyone can read, but with login I can write.
July 25, 20223 yr Author @Frank1940 Thank you so much for your input, and heck yeah I want to learn more. I first got on board with UNRaid when the site was Limetech, and they sent out a USB with a Limetech sticker which I still have on my server since '09. Setting it up back then I wasn't as security conscious and just had my blurays and DVDs I ripped on it to play on Kodi. But now, it's time to retire my Norco, and with that times have changed and I want to do things the right way for '22. I appreciate all any input you are willing to share, as I have tons of questions, and almost feel embarrassed about the questions, being such a long time user. Here's a pic of the Norco and the Limetech sticker;
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.