February 15, 200818 yr I was trying to turn on user security today, and I think I just don't quite understand the interaction of unRAID security with Windows security. Before "introducing" unRAID to my family, I need to know how to lock it down. Most importantly, I want to restrict access to my 12 year old son's login on ONE disk share (disk10). It contains all the "R" rated movies that I don't want him seeing. It also contains backups which contain financial data. I reread the manual and did a bunch of forum searches, but can't seem to figure out how this is supposed to work. Could some kind soul point me in the right direction? I currently have "User shares" disabled, only disk shares are exported (read/write). I rather not mess with User Shares right now, but will enable them if I can't assign security on a disk share by disk share basis. My Windows userid is "B J P" (notice spaces in the middle). When I turned on user security and tried to attach to a disk share, I got a Windows login prompt, the username was "\\Tower\Guest" - which was grayed out and could not be changed. I could enter a password - but it would not take an empty password, a single space, or my Windows password. So I tried to create an unRAID account called "Guest" (which it didn't accept because of the capital "G"), so instead created an account called "guest". Same problem trying to attach to the disk share. I tried to create an unRAID account called "B J P", but it didn't like the caps or the spaces. So instead, I created a new user in unRAID called "b_j_p", with the password being the same as my Windows password. And I renamed my Windows account to "b_j_p" to live within unRAIDs user naming standards, and tried to attach to a disk share. I was hoping it would "recognize me" since my userid and password matched and NOT have to prompt for a password. No such luck - up came the login to "\\Tower\Guest" prompt. CRAP! I thought maybe I needed to assign a root password, so I did. After all, security is pretty thin if anyone can change security. I started getting login prompts on the management console, but was able to log in as root. I tried to attach to a disk share again - still got that prompt to login as "\\Tower\Guest". ARG! I disabled user security and all is back to normal. Thanks for any help! - Brian
February 16, 200818 yr Hi, I'm a new user so I will try to explain what I will setup over this weekend. I cant' guarantee that it works but I will try the following steps: 1.) Set root password. Check result on console. 2.) Enable User-shares. (I know they work as expected, already did a test drive). 3.) Set disk-shares to "don't export". 4.) Set flash-share to don't export. 5.) Create-user shares for "media for anyone", "restricted media", "mom", "dad" and another one for each kid. 5a.) Set "media for anyone" to: Export mode: Export read-only Exceptions: dad 5b.) Set "restricted media" to: Export mode: Export read-only/hidden Exceptions: dad Valid users: mom,dad 5c.) Set "dad" to: Export mode: Export read-only/hidden Valid users: dad 5d.) Set "mom" to: Export mode: Export read-only/hidden Valid users: mom 5e.) Set "kid1" to (renamed): Export mode: Export read-only/hidden Valid users: kid1 5f.) Set "kid2" to (renamed): Export mode: Export read-only/hidden Valid users: kid2 6.) On all PCs create user accounts. They don't need to have the names of the unRAID accounts. 6a.) Dad's PC: Attach drive letter R: to \\Tower\restricted media (use specific name and password of the share) Attach drive letter Y: to \\Tower\media (...) Attach drive letter Z: to \\Tower\dad (...) 6b.) Mom's PC: Attach drive letter R: to \\Tower\restricted media (use specific name and password of the share) Attach drive letter Y: to \\Tower\media (...) Attach drive letter Z: to \\Tower\mom (...) 6c.) Kid1 PC: Attach drive letter Y: to \\Tower\media (...) Attach drive letter Z: to \\Tower\kid1 (...) 6d.) Kid2 PC: Attach drive letter Y: to \\Tower\media (...) Attach drive letter Z: to \\Tower\kid2 (...) There are still two problems left. a.) The access to the managment console with "//Tower" is still possible for anyone in the network. I will filter that in my router so that I can switch that on/off. The access to the router is restricted to me ;-) b.) The family PC (HTPC) with Media Portal on top. Can I install and configure MediaPortal for every user? Hmm, if not what account should I use. If I want to see restricted media I need to attach the drives here. I can give Pin-Codes to drives within Media Portal. But wait, if the kids close MediaPortal they can access the share directly. It seems that this is the only problem left. If you don't have a family PC the problem doesn't fit here ... Does this sound reasonable? I will start tomorrow ... Regards Harald
February 16, 200818 yr <snip> There are still two problems left. a.) The access to the managment console with "//Tower" is still possible for anyone in the network. I will filter that in my router so that I can switch that on/off. The access to the router is restricted to me ;-) <snip> You can also configure the management console to use a non-standard port. In the "go" script change the following line: /usr/local/sbin/emhttp & to be /usr/local/sbin/emhttp -p 8080 & Now, when you reboot the unRaid server, its management page will be on port 8080 instead of 80 (the default used by your web-browsers) The URL to get to it would then be //tower:8080/main.htm You can use most any un-used port if 8080 is not a good one for you. Granted, the management console will not be more secure, but less likely for your kids to stumble across, especially if you can block the non-standard port on your router. Think of it as "security through obscurity." Joe L.
February 16, 200818 yr You can also configure the management console to use a non-standard port. In the "go" script change the following line: /usr/local/sbin/emhttp & to be /usr/local/sbin/emhttp -p 8080 & Ah, I see. Cool! Thanks. Harald
February 17, 200818 yr Granted, the management console will not be more secure, but less likely for your kids to stumble across, especially if you can block the non-standard port on your router. Think of it as "security through obscurity." BTW, is it possible to move the starting page (e.g. index.html) to something like "xyzblablub.html"? This would give 5% more security as well. Regards Harald
February 17, 200818 yr Author Thanks! My array is currently offline with a hardware problem. Once I get things fixed, I'll try and follow through these directions. - Brian
February 18, 200818 yr Granted, the management console will not be more secure, but less likely for your kids to stumble across, especially if you can block the non-standard port on your router. Think of it as "security through obscurity." BTW, is it possible to move the starting page (e.g. index.html) to something like "xyzblablub.html"? This would give 5% more security as well. Regards Harald Perhaps BASIC AUTHENTICATION should be used so the web server is inaccessible without the proper user name and password.
Archived
This topic is now archived and is closed to further replies.