Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[?] Need help with SMB Security practice

Featured Replies

Good Afternoon All, 

 

I am trying to understand SMB security, as I am retiring a server and am going to build a new one in a few weeks. To be honest I never touched SMB Security because as most here I followed videos and shares were mostly created as Public and I left it that way.

 

I am the only one that does any admin work on my servers, no one has access other than to watch Emby, or Plex. With that being said then all of my shares should be Private then correct? OR do I need some to be Public for Apps to use them?

 

Allow me to clarify. If I have a Downloads share should that be private or does it have to be public so that apps like Sonarr or Radarr to work properly? I never gave it much thought as I always had password to login, but after reading about attacks on UNRaid users it got me thinking, and here I am asking those smarter than me to help me understand exactly how it works. I did read several threads here but for some reason it just wasn't clicking. (I didn't get that aha moment yet)

 

Thanks for the help, in advance.

  • Community Expert

Programs running on the server don't even need things to be shared via SMB.

 

SMB and its users config is only about who you want allowed to access at all/read/write to from network shares.

  • Author

@Kilrah, thank you so much for taking the time to explain that to me, I just got the aha moment. lol. So at the very least everything should be read-only then as opposed to just Public then correct?

  • Community Expert

Since this is only accessible within your network... I guess it depends whether you trust people who can access it?

 

 

  • Author

Well since I know that it only applies to people on the network I was thinking of the UnRaid Server Security Best Practices I read. Here's a snippet of the article;

 

Restrict Share Access

Use Read-Only shares whenever possible! Create other Users on your Unraid server and set the appropriate share access for each user. If particular users don't need write access, make them read-only.

 

That's why I figured at the very least most everything should be read-only.

  • Community Expert
5 hours ago, Kilrah said:

I guess it depends whether you trust people who can access it?

 

Trust is a strong word and implies that someone will knowingly do something malicious.  There is also the problem of people who are completely trustworthy but not technically competent doing some action that will cause data loss.  There is further problem that a piece of malware could be installed on a client computer that could do damage to server files if they are writable!  (First rule for data security, no client should have write access to a share unless that client has viable need for it!)

 

@gyrene2083, I might suggest that you look at this thread if you want to secure your server's data:

 

       https://forums.unraid.net/topic/110580-security-is-not-a-dirty-word-unraid-windows-10-smb-setup

 

PS--- I have both my servers setup so that I do not have read write access to any share.  If I have to do file maintenance, I either temporary chage the default of do via a Docker of the terminal.  I even have a way to add files to server without changing the access privileges!  (If you want to know about this, inquire...)

Edited by Frank1940
used wrong word--see strikeout in last paragraph

  • Community Expert

All depends what the purpose of the share is.

Obviously as a start only enable SMB on the shares that it makes sense accessing through the network, probably not many of them on a typical setup.

 

My "isos" share is public, that way I can drop an iso to install from without bothering to login, and nothing on there is of value.

I have a public share that's similarly meant to just drop something on to grab it back from another machine, again only temporary use.

 

The ones holding important files that need to be accessible from the network have a user/pass with read/write access.

Media has "Secure" so anyone can read, but with login I can write.

  • Author

@Frank1940 Thank you so much for your input, and heck yeah I want to learn more. I first got on board with UNRaid when the site was Limetech, and they sent out a USB with a Limetech sticker which I still have on my server since '09. Setting it up back then I wasn't as security conscious and just had my blurays and DVDs I ripped on it to play on Kodi. 

 

But now, it's time to retire my Norco, and with that times have changed and I want to do things the right way for '22. I appreciate all any input you are willing to share, as I have tons of questions, and almost feel embarrassed about the questions, being such a long time user. 

 

Here's a pic of the Norco and the Limetech sticker;

1127028688_ScreenShot2022-07-25at19_06_47.thumb.png.4a98e345179abd80b5e2a13deae4a559.png

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.