New User - Need a Secure Strategy for Write Access Avoiding Ransomware Exposure


Recommended Posts

 As the title states I am a new user to unRAID and just installed the trial version of 6.3.5.

 

I am coming from windows home server 2011 with drivepool.

 

I am using the server as a family media server (movies/music/pictures) and also to store some docs.

 

The usecase is 99% read media to plex and windows shares.

 

A couple times a month I will add new media to the server.

 

My strategy is to setup the media shares as secure, with read only access to the household windows accounts including my own account. The intent is to protect from immediate issues with ransomware or accidental deletions. ( I manually backup the important stuff off of the server, but am also researching automated backup on unraid - separate topic coming)

 

I was hoping I could create an unraid account with write access and only access that when I am deliberately adding or changing files on the server (from windows 10), to eliminate write access exposure at all other times(from windows 10). I am happy having to enter user/pass anytime I am doing this (from windows 10). I really don't want writable shares just sitting there waiting for malware/ransomware/accident to happen.

 

Ideas:

I tried creating a user/pass in unraid specifically for maintenance. In windows there is no place to enter a user/pass when trying to write to those shares from another windows account that does not have write access to those shares. I just get access denied.

 

Also I cant create an unRAID user/pass to match my windows account user/pass. My whole family has Windows accounts, I monitor the kids internet usage with the windows family tools. The user account is in the format firstname <space> lastname and/or email address and unraid appears to not be able to handle the spaces or special characters in the usernames.

 

My UNIX/Linux experience is between a beginner and medium. I can navigate a command prompt with basic commands and teach myself (man/help) how to use utilities/commands, etc. and have no problem following tutorials.

 

Any strategies or guides would be appreciated.

 

Thanks and have a great day.

 

 

Link to comment

Ok, been thinking about this and I think I can just create a separate local windows account specifically for adding and editing files to the server. I can just login when needed, Easy enough. I can even create a local move to server folder/share to help between accounts.

 

Hopefully the rest of the users with online Microsoft accounts will be able to see the shares read only becauseI can't add them as named users in unRAID due to the required spaces and special characters in the windows online accounts. 

 

Any comments/critique of this strategy is appreciated. 

 

Thanks

Link to comment

Frank1940,

 

Thank you for the helpful replies!

 

The threads you linked to were great and I realized I was overthinking everything.

 

I created a local Windows account only for unraid file maintainence/adding files to the server and it seems to be working great.

 

Thanks again.

Link to comment

Just remember to only use this account for unRAID file maintenance.  If you start using it to check e-mail and other web browsing, you are defeating what should be its sole purpose.  I have never read a complete blow-by-blow account of  a ramsomware attack but I imagine that it runs in the background and can take a long time to complete depending on the number of files and their size. 

Link to comment

You could set all the user shares to Secure and share the cache drive as public. Then, navigate to cache and write the data in directories with the exact same name as the user shares. The mover will copy off the cache overnight and the data will be write protected. No need to add any users to the server if you do it this way.

 

For example, if you have a share called "Music" then go to \\TOWER\cache and write the data to a directory called "Music". Then, the data will be moved to the array overnight and protected once it's on the array.

 

Link to comment
18 hours ago, lionelhutz said:

You could set all the user shares to Secure and share the cache drive as public. Then, navigate to cache and write the data in directories with the exact same name as the user shares. The mover will copy off the cache overnight and the data will be write protected. No need to add any users to the server if you do it this way.

 

For example, if you have a share called "Music" then go to \\TOWER\cache and write the data to a directory called "Music". Then, the data will be moved to the array overnight and protected once it's on the array.

 

 

 

Love it!

 

Thank you, I will try this today.

Link to comment
On 5/29/2017 at 3:27 PM, lionelhutz said:

You could set all the user shares to Secure and share the cache drive as public. Then, navigate to cache and write the data in directories with the exact same name as the user shares. The mover will copy off the cache overnight and the data will be write protected. No need to add any users to the server if you do it this way.

 

For example, if you have a share called "Music" then go to \\TOWER\cache and write the data to a directory called "Music". Then, the data will be moved to the array overnight and protected once it's on the array.

 

Has anyone tried this approach to see if that are any problems?  It appears that would work but it would be nice to have some confirmation.  Of course, it must be realized that it will only work for those shares which are primary read only.  And that would have to be one user with read-write access to do any required file maintenance that might be required. 

Link to comment
44 minutes ago, Frank1940 said:

Has anyone tried this approach to see if that are any problems?  It appears that would work but it would be nice to have some confirmation.  Of course, it must be realized that it will only work for those shares which are primary read only.  And that would have to be one user with read-write access to do any required file maintenance that might be required. 

 

This is how I have been doing things for awhile.  All my shares are set to Secure, with only my Cache drive set as Public.  All auto-downloading (Sickbeard & SAB) and Crashplan backups work without issue, and all media players only need read access for playback.  When I manually add files to my server, I put them on the Cache drive in folders matching share folder names so they get moved to the array by the Mover.  (I have a blank folder hierarchy for my shares saved to a Temp folder on my Cache drive that is Cache-Only so it doesn't get moved.  I can copy that folder hierarchy to the root of the cache drive and then places new files in without having to create folders with the exact same name as my share folders).  And if I need to move files around on the array, I just temporarily change the Share to Public, make my changes, and then switch back to Secure.

Link to comment

 

On 6/1/2017 at 6:03 PM, Frank1940 said:

Has anyone tried this approach to see if that are any problems?  It appears that would work but it would be nice to have some confirmation.  Of course, it must be realized that it will only work for those shares which are primary read only.  And that would have to be one user with read-write access to do any required file maintenance that might be required. 

 

Yes, it would work. I haven't added any users on the server and I keep the shares secured from external writing. Most of my media operations are contained on the server so I don't write much to the server manually. I will also set a share to Public to edit it when needed before setting it back to secure once done.  For most media, I have CP and Sickbeard installed and have the "completed download" share as Public. So, I write the file there and let CP or Sickbeard move it and properly re-name it. That way, I don't have to leave the cache with the VM's and appdata exposed and I don't have to get the directory structure or the name correct either.

 

If the cache is exposed as public then it would be a good idea to do backups of any of the cache only user shares, such as the appdata or domains.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.