Windows File Server Security - Advised to Disable - What Does It Control?

Currently reading
Windows File Server Security - Advised to Disable - What Does It Control?

127
17
NAS
DS920+ DS215J,
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. Android
After changing the 5001 Port on my NAS and performing other needed updates, I began chasing down all the Security Advisor recommendations on my 2600... The last one was to DISABLE the SYSTEM RULE for the Destination Port of the Windows File Server on the Firewall.

After Disabling this, I have yet to determine exactly its purpose as I would like to understand what it controls..... What else may be impacted by its being disabled? This one seemed possibly important, but I have yet to be able to find any information on it.

Windows File Server - Disable.png
 
Do you use the router to store files, e.g. as a NAS, or is that what the real NAS is for? Windows File Server is allowing access to files store on the router.

That firewall rule is allowing devices, regardless of LAN or Internet, to access your router's Windows File Server service. Probably not what you'd want.
 
In which case you don't need to have any file sharing services enabled on the router, nor any firewall rules to permit access to the router on these ports. Best to have the router doing network stuff and disable/don't install things that the NAS can do.

I don't run any user-orientated service on the router except VPN Plus and those user accounts are via LDAP from the NAS... so users access do password management on the NAS and these accounts have very little other permissions. The only local user on the router is for admin tasks.
 
Thanks again for the reasons.... Port Forwarding and other Security practices are easily bypassed by not understanding vulnerabilities... I don't have the expertise and practice to understand all that is needed to truly keep everything locked down. I know its not perfect, but I have implemented the "Business" level checks for the Security Advisors on both my Router + NAS to hopefully reveal any weak points....... It's hard enough dealing with all the "Hits" we get from being scanned and probed on a continual basis........
 
I may be wrong, but do you really want to expose your router in that extent to the internet? Because according to your screenshot everybody can access from the internet e.g. your router's management UI, your attached printers, your NAS (port 5001) and Plex...

Source IP = all means from everywhere...

Personally I'm much more restrictive in that regard:
1620170320166.png

I only have two rules exposing the router to the internet, the "System Rule" (that is handled by SRM to update Let's Encrypt Certificates and by default the action is set to deny whenever it is not just renewing the certificate), and the "Synology VPN" that I use to connect to my home LAN from the Internet. The "LAN to SRM" rule allowes my clients from the LAN (192.169.7.0/24) to access all ports on the router (even though beside the management UI I wouldn't need any)

And of course I forbid all WAN access (Internet) that is not explicitly allowed in the firewall rules:
1620170474196.png

If unsure Synology has described this topic in more detail here: Synology Router Manager - Knowledge Base | Synology Inc.
 
Roger... thank you for seeing that... And that was the next step for me as I have already Port Forwarded both 5000 & 5001 to other Ports values.... So I assume (likely incorrectly) that I could simply Disable/ Delete this "RULE 1" ..... Hopefully without altering any other access settings.
However I am unable to disable this Rule...... I also opened it up in the ADMIN account just to be sure, but there is evidently a reason it is not removeable, no?
 
Wizard99, I guess this rule was created because you enabled Windows file service in SRM. Since you disabled the rule in the firewall (enabled checkmark = unchecked) the rule is not taken into account (so it is treated as if you had deleted it). Anyhow, if you do not need services I would always disable them.

1620236722473.png
 
Roger....

Using the OPEN PORT Checker Tool with the default Remote Address, it shows as both 5000 % 5001 "closed".... But this "RULE 1" for 5001 is still getting Hits from presumably outside....
Hits are better than successful intrusions!

Rule 1.png
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I just added two DNS A with both public IPs, main ip TTL - Auto, second DNS TTL-1 min and it works well...
Replies
2
Views
518
OHHH, I totally missed this too - I assumed he had it set up on his DS920+. So, same goes for my answer...
Replies
5
Views
496

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top