New DS220j – To reformat or not to reformat?

[sinologist]

Hi guys, I just bought DS220j and installed two new WD red 4TB in it.

I want to use it for backup of older projects and larger files, so that I can keep my MacBook Air, which is now full, running smoothly.

I would also like to backup everything that will be on my DS220j to the cloud, so that it's not just on one location. On my computer I use Backblaze for this function, but I think I will use the Synology C2 backup on my DS220j, it seems better intergrated.

I have a few questions:

1) Is it ok to leave DS220j on default settings (after installing two WD red 4TB disks in it) or should I reformat it in any way before starting to backup files on it? I watched this video on youtube –

To view this content we will need your consent to set third party cookies.
For more detailed information, see our cookies page.

Accept third party cookies

– and he recommends reformating on the initial setup. But it seems that the default Synology setup is working fine right now. Are there any real benefits of reformating with settings shown in the video, when considering my type of use?

2) I don't want to access my DS220j files from anywhere but my computer. Is it smart to disable QuickConnect if I won't use it, because of security?

3) Is there anything else, security wise, that I should do?

4) Where should I put my files? (home/homes/etc) Does it matter?

Thank you for your help!

 

[fredbert]

1. Initial setup reformats your disks and creates the storage pool and volume. You’re already good to go.
2. Disable QC Relay to stop access that doesn’t require specific firewall rules on your router. But you can turn off QC fully too.
3. Any device on your home network that can access the Internet and the NAS can be used as an attack vector.
   1. Only open services you use
   2. Only allow authenticated user access.
   3. Set SMB to a minimum of v2.
   4. Create a new administrator user and disable the default admin
   5. Disable guest user access
4. User home is set to allow only that user to access it (admins can too). I’d use it. You could use other places (or create new shared folders) but you must setup permissions to limit who can access these locations
   

 

[sinologist]

1. Initial setup reformats your disks and creates the storage pool and volume. You’re already good to go.
2. Disable QC Relay to stop access that doesn’t require specific firewall rules on your router. But you can turn off QC fully too.
3. Any device on your home network that can access the Internet and the NAS can be used as an attack vector.
   1. Only open services you use
   2. Only allow authenticated user access.
   3. Set SMB to a minimum of v2.
   4. Create a new administrator user and disable the default admin
   5. Disable guest user access
4. User home is set to allow only that user to access it (admins can too). I’d use it. You could use other places (or create new shared folders) but you must setup permissions to limit who can access these locations

Thank you very much, fredbert, for your detailed and kind answer!

 

[sinologist]

1. Initial setup reformats your disks and creates the storage pool and volume. You’re already good to go.
2. Disable QC Relay to stop access that doesn’t require specific firewall rules on your router. But you can turn off QC fully too.
3. Any device on your home network that can access the Internet and the NAS can be used as an attack vector.
   1. Only open services you use
   2. Only allow authenticated user access.
   3. Set SMB to a minimum of v2.
   4. Create a new administrator user and disable the default admin
   5. Disable guest user access
4. User home is set to allow only that user to access it (admins can too). I’d use it. You could use other places (or create new shared folders) but you must setup permissions to limit who can access these locations

It's nice to see that the last three points of your security advice were already automatically done by the initial Synology setup: SMB is set to a minimum of v2, the default admin and guest user access are disabled.

However, I have a few questions regarding the first two points (3.1, 3.2):

1. "Only open services you use" – What exactly do you mean by "services"? The packages inside the Synology software? For now I'm only using the C2 backup. Which services are most known to be a security risk?

2. "Only allow authenticated user access." – How does this differentiate from disabling default admin and guest? Is there any checkbox with this exact security function or is disabling of default admin and guest enough?

3. Also, I've set up the Secure Login iOS app for the Two-factor authentication. I see that there are some setting for 2FA in the control panel, but I'm not sure if I should change anything. Now it looks like this:

Thank you for your kind help!

 

[fredbert]

Services: what I meant is to only enable/install features that you want to use.

Traditionally a client/server model would have a server providing services (web server, network file sharing, dns, dhcp, ntp, ftp/ftps, ssh/sftp, etc.) to which other devices can connect. Some of these are built into DSM and some will be additional packages. But in this respect the NAS is the server providing these services, so only enable what you need.

Only authenticated users: some services will be accessible to authenticated users and unauthenticated, e.g SMB allows for its own level of guest access. Where possible you should only have authenticated users accessing services.

iOS Secure Access app: this is for DSM 7, which is currently going through beta testing. The 2-step verification has been the way to enhance login in DSM, but not everything uses it (e.g. SSH doesn't). You don't have to force users to use 2-step, esp. if it's only you, as the user's DSM portal provides access to setting this up here...

With 2-step I use 1Password to securely store the one-time code along with the standard login credentials. Others use different applications.

The new Secure Access requires Internet access for it to work. As it's new, you're probably as knowledgeable as I am on it

 

[sinologist]

Services: what I meant is to only enable/install features that you want to use.

Traditionally a client/server model would have a server providing services (web server, network file sharing, dns, dhcp, ntp, ftp/ftps, ssh/sftp, etc.) to which other devices can connect. Some of these are built into DSM and some will be additional packages. But in this respect the NAS is the server providing these services, so only enable what you need.

Only authenticated users: some services will be accessible to authenticated users and unauthenticated, e.g SMB allows for its own level of guest access. Where possible you should only have authenticated users accessing services.

iOS Secure Access app: this is for DSM 7, which is currently going through beta testing. The 2-step verification has been the way to enhance login in DSM, but not everything uses it (e.g. SSH doesn't). You don't have to force users to use 2-step, esp. if it's only you, as the user's DSM portal provides access to setting this up here...
View attachment 2847

With 2-step I use 1Password to securely store the one-time code along with the standard login credentials. Others use different applications.

The new Secure Access requires Internet access for it to work. As it's new, you're probably as knowledgeable as I am on it

Thank you very much, fredbert!

I noticed that I still have admin permissions enabled in the Control Panel > Shared Folders > homes > Edit:

Should I disable this? (I didn't screenshot my username permissions, which are the same as for admin)

Btw, is it normal that there is no "home" folder under Shared Folders, only "homes"?

I noticed this, because I wanted to enable Recycle Bin for "Home" (which I am using as my main folder). But it seems I can only do it for "Homes".

When I'm mounting "Home" on my Mac and I delete a file, it's gone, not put in the Recycle Bin (enabled via Control Panel in "Homes"). But if I mount "Homes" and go to the same folder (located in subfolder "Home") as before and delete a file there, it goes to the Recycle Bin.
Should I just work with my "Home" files from the "Homes" mount on my Mac, or is there a better solution?

 

[fredbert]

/homes is where all the user home folders are located. When you login as a particular user then a pseudo folder /home is shown but really this is /homes/<user>

The 'admin' account is the default administrator account. As this name is well known then it is best to create a new user account and assign it to the administrator group, this account will now have administrator rights. Then disable the default 'admin' account. Now you should have your normal user account for everyday stuff and the new administrator account to use on admin tasks.

You should not be able to disable admin until there is another user account that is a member of administrator group. Andit's always good practice to only use an admin account for admin tasks and a standard user account for actually using the NAS (or Mac, or PC).

 

[Telos]

Never use an administrator account for your day to day stuff. Reduce the risk exposure to your NAS/network.