+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows Thread, Secure a Terastation NAS in Technical; Hello, I use a Buffalo Terastation as a backup-to-disk NAS device. Trouble is it's open to everyone. Anyone who found ...
  1. #1
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30

    Secure a Terastation NAS

    Hello,

    I use a Buffalo Terastation as a backup-to-disk NAS device. Trouble is it's open to everyone. Anyone who found it could delete the backup files.

    The Terastation AD integration is very poor, so can't secure it that way.

    I wanted to secure it by connecting it to a Windows box and use AD security to control access.

    The easiest option would have been to use USB to connect it to the PC and use it as a shared USB drive. The trouble is it doesn't have a USB-B connection. (It does have USB-A connectors, intended for connecting to other terastations and UPS devices - my next step will be to try a USB A-A cable).

    I've tried connecting via ethernet to a second NIC on the PC, and putting the device on a separate subnet. I can then create a mapped drive for the Terastation, but can't share it - it's not possible to share a mapped drive.

    The thought of having the backup open like this is not good. Any help help would be appreciated.

    Any suggestions?

  2. #2

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    i have one of these and yes the ad integration is awful. However i have mine just set up with local user account on the nas and if you try to access the share that i backup to it prompts for credentials. In my backup software i just put in the local user and it works fine.

  3. Thanks to ssiruuk2 from:

    OverWorked (12th December 2008)

  4. #3
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,966
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46
    I also schedule the thing to go off school times using the sleep option. Power up at 6pm and start backing up, and off after the night's work at 8am.

  5. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Can you not give the NAS an obscure computer name? I presume users are/could gain access by typing a UNC path into explorer?

  6. #5
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    @ssiruuk2: I think I've read somewhere of others doing this - it may be the best option. I'll look into it.

    @mark: That's one option, but not that secure. It might also stop extra long backup jobs running.

    @Michael: That was my original approach: security by obscurity. I always knew it was open but thought that it was impossible to find. I recently had a shock when I found that they can browse the network. All they do is right click 'all programs' in that start menu and explore. Because their start menu is redirected, they can browse all the shares on the network. I've secured all Windows shares, but can't do it for the Linux-based NAS. Anyone know of a GP setting to stop this?

  7. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Apply these policies:

    Admin Templates > Windows Components > Windows Explorer -
    No "Computers Near Me" in My Network Places (Enabled)
    No "Entire Network" in My Network Places (Enabled)

    Admin Templates > Desktop -
    Hide My Network Places on Desktop (Enabled)

    These three policies should do the trick

  8. #7

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,952
    Thank Post
    886
    Thanked 1,700 Times in 1,477 Posts
    Blog Entries
    12
    Rep Power
    448
    Another option would be to put the terastation on its own v-lan. Using firewall rules only allow your servers IP address to access devices on that vlan

  9. #8
    mark's Avatar
    Join Date
    Jun 2005
    Posts
    3,966
    Thank Post
    248
    Thanked 49 Times in 45 Posts
    Blog Entries
    2
    Rep Power
    46
    Quote Originally Posted by OverWorked View Post
    @mark: That's one option, but not that secure. It might also stop extra long backup jobs running.
    Totally secure when it's off! I use robocopy to only copy over parts of files that have changed which reduces a massive backup job to a manageable time.

  10. #9
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    We recently bought a Buffalo Linkstation Pro, and that has AD integration on it - simply hook it up to the (it even hunted out our DHCP server itself) go into the management interface on it and join it to the domain, then from the management interface again, create a new share on it and assign permissions. Works a treat.

  11. #10
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Quote Originally Posted by ssiruuk2 View Post
    i have one of these and yes the ad integration is awful. However i have mine just set up with local user account on the nas and if you try to access the share that i backup to it prompts for credentials. In my backup software i just put in the local user and it works fine.
    That approach worked. I've set the local security on the box to protect the shares with an account with the same username and password as the domain account that Backup Exec runs under.

    Funny thing is, I'm sure I tried that weeks ago and couldn't get it to work. Anyway, it's working now...

    Another thing: from XP, I can browse the shares on the Terastation using the new credentials, but if I browse from Vista, it insists on adding the domain name to the username, so the Terastation denies access. It's working, so can't grumble about that.

    BTW, the Terastation is housed in a secure location way down the other end of the school, so it's physically secure.

    I can sleep easy over Christmas now, knowing that my backups are safe.

  12. #11
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Quote Originally Posted by NickJones View Post
    We recently bought a Buffalo Linkstation Pro, and that has AD integration on it - simply hook it up to the (it even hunted out our DHCP server itself) go into the management interface on it and join it to the domain, then from the management interface again, create a new share on it and assign permissions. Works a treat.
    Thanks, Nick.

    I know that AD integration for Linux-based storage boxes has improved a lot recently. Next time I buy one I'll check more thoroughly.

  13. #12
    enjay's Avatar
    Join Date
    Apr 2007
    Location
    Reading, Berkshire, UK
    Posts
    4,488
    Thank Post
    282
    Thanked 196 Times in 167 Posts
    Rep Power
    75
    Make sure you get the LinkStation Pro, as the non-Pro model doesn't have the AD integration.

    I have the same problem as you from my Vista PC, no real concern though as it is only me that with Vista, so I just VNC onto the server when I want to access the NAS.

  14. #13
    OverWorked's Avatar
    Join Date
    Jul 2005
    Location
    N. Yorks
    Posts
    1,014
    Thank Post
    198
    Thanked 42 Times in 34 Posts
    Rep Power
    30
    Quote Originally Posted by Michael View Post
    Apply these policies:

    Admin Templates > Windows Components > Windows Explorer -
    No "Computers Near Me" in My Network Places (Enabled)
    No "Entire Network" in My Network Places (Enabled)

    Admin Templates > Desktop -
    Hide My Network Places on Desktop (Enabled)

    These three policies should do the trick
    Michael,

    I've already got these set. They prevent network browsing by other methods, but still allow it through browsing the start menu folder.

    I suppose that disabling the Windows Explorer context menu would prevent this, but I wanted to avoid doing that.

    Thanks anyway.

    @mark - looking at the time of your post, you should enable your sleep option! How do you do it?
    Last edited by OverWorked; 13th December 2008 at 11:55 AM. Reason: grammar

  15. #14

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    I found this post @ MajorGeeks.com,

    It helped me sort out a few Terastation issues.....

    The link provided was the key for me (http://buffalo.nas-central.org/index...tive_Directory). I did find some ambiguities in the directions provided by the link. I was able to arrive at the correct configuration, but thought these written steps might help:

    1. Basic tab of TeraStation (TS):
    a. Set name
    b. Date: set time zone (for me, GMT -5.00; Enable NTP, default NTP server is fine.
    c. TS does not have a setting for DST. This is OK. During summer, TS time will appear off by precisely 1hour. This is expected, and OK.
    2. Network IP Address Properties – set fixed IP address. DNS server must be that of AD.
    3. TS must be on same network segment as AD domain controller.
    4. Create AD service account for TerraStation (Windows 2003, AD)
    a. Password cannot contain special characters
    b. Account must be member of Administrators Group
    5. DNS: create A and PTR records for the TS
    6. Create a computer account for the TerraStation (Windows 2003, AD).
    a. Computer name
    b. Do not select “Assign this computer account as a pre-Windows 2003 computer”
    c. Do not select “Assign this computer account as a backup domain controller”
    d. After computer account is created, examine properties page; Delegation tab. Select “Trust this computer for delegation to any service (Kerberos only).
    7. Now join to Active Directory on the TS: Network; Workgroup / Domain
    a. Network type: Active Directory
    b. Complete AD NetBIOS name; DNS name; DC name, TeraStation service account name and password.
    c. WINS is not required!! This will work just fine without WINS.
    d. Local user authorization settings: I selected the option “Allow” local user authorization. Not sure all the security implications with the TS, but do not want to risk loosing access to the device via its local administrator account.
    8. when done, click the Apply.

    There are a number of posts that indicate that time is critical - that is true.

    In my case the problem was the password of the service account. Complex passwords are required, and our convention is to use special characters. The Terastation does not work with passwords that include special characters.


    ---------------------------
    There are some new issues concerning the SMB signing used in 2008 & 2008R2 that seem to be causing problems for Domain Admins. Buffalo are working on a fix but seem to be stuck at present hence there seems to be a bit of a switch to promoting iSCSI instead!

    Personally I have had no issues integrating them into AD on 2003 server so far using the above notes.

    Hope it helps some geeks..

  16. #15
    tarquel's Avatar
    Join Date
    Jun 2005
    Location
    Powys, Mid-Wales, UK
    Posts
    1,740
    Thank Post
    13
    Thanked 45 Times in 35 Posts
    Rep Power
    29
    You might want to edit that link you included m25man

    Ta.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Nas to Nas Mirror
    By ICTNUT in forum Windows
    Replies: 14
    Last Post: 20th May 2008, 10:09 AM
  2. Terastation Pro
    By Grommit in forum Windows
    Replies: 7
    Last Post: 2nd January 2008, 10:29 PM
  3. TeraStation and Active Directory
    By mmoseley in forum Hardware
    Replies: 4
    Last Post: 6th September 2007, 01:28 PM
  4. joys of Terastation AD connection
    By mudcow007 in forum Hardware
    Replies: 15
    Last Post: 14th June 2007, 12:34 PM
  5. Terastation Backup Configuration Help
    By park_bench in forum Hardware
    Replies: 7
    Last Post: 4th June 2007, 07:34 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •