Secure a Terastation NAS

Hello,

I use a Buffalo Terastation as a backup-to-disk NAS device. Trouble is it's open to everyone. Anyone who found it could delete the backup files.

The Terastation AD integration is very poor, so can't secure it that way.

I wanted to secure it by connecting it to a Windows box and use AD security to control access.

The easiest option would have been to use USB to connect it to the PC and use it as a shared USB drive. The trouble is it doesn't have a USB-B connection. (It does have USB-A connectors, intended for connecting to other terastations and UPS devices - my next step will be to try a USB A-A cable).

I've tried connecting via ethernet to a second NIC on the PC, and putting the device on a separate subnet. I can then create a mapped drive for the Terastation, but can't share it - it's not possible to share a mapped drive.

The thought of having the backup open like this is not good. Any help help would be appreciated.

Any suggestions?

i have one of these and yes the ad integration is awful. However i have mine just set up with local user account on the nas and if you try to access the share that i backup to it prompts for credentials. In my backup software i just put in the local user and it works fine.

I also schedule the thing to go off school times using the sleep option. Power up at 6pm and start backing up, and off after the night's work at 8am.

Can you not give the NAS an obscure computer name? I presume users are/could gain access by typing a UNC path into explorer?

@ssiruuk2: I think I've read somewhere of others doing this - it may be the best option. I'll look into it.

@mark: That's one option, but not that secure. It might also stop extra long backup jobs running.

@Michael: That was my original approach: security by obscurity. I always knew it was open but thought that it was impossible to find. I recently had a shock when I found that they can browse the network. All they do is right click 'all programs' in that start menu and explore. Because their start menu is redirected, they can browse all the shares on the network. I've secured all Windows shares, but can't do it for the Linux-based NAS. Anyone know of a GP setting to stop this?

Apply these policies:

Admin Templates > Windows Components > Windows Explorer -
No "Computers Near Me" in My Network Places (Enabled)
No "Entire Network" in My Network Places (Enabled)

Admin Templates > Desktop -
Hide My Network Places on Desktop (Enabled)

These three policies should do the trick :)

Another option would be to put the terastation on its own v-lan. Using firewall rules only allow your servers IP address to access devices on that vlan

Quote:

---

Originally Posted by OverWorked

@mark: That's one option, but not that secure. It might also stop extra long backup jobs running.

---

Totally secure when it's off! ;) I use robocopy to only copy over parts of files that have changed which reduces a massive backup job to a manageable time.

We recently bought a Buffalo Linkstation Pro, and that has AD integration on it - simply hook it up to the (it even hunted out our DHCP server itself) go into the management interface on it and join it to the domain, then from the management interface again, create a new share on it and assign permissions. Works a treat.

Quote:

---

Originally Posted by ssiruuk2

i have one of these and yes the ad integration is awful. However i have mine just set up with local user account on the nas and if you try to access the share that i backup to it prompts for credentials. In my backup software i just put in the local user and it works fine.

---

That approach worked. I've set the local security on the box to protect the shares with an account with the same username and password as the domain account that Backup Exec runs under.

Funny thing is, I'm sure I tried that weeks ago and couldn't get it to work. Anyway, it's working now...

Another thing: from XP, I can browse the shares on the Terastation using the new credentials, but if I browse from Vista, it insists on adding the domain name to the username, so the Terastation denies access. It's working, so can't grumble about that.

BTW, the Terastation is housed in a secure location way down the other end of the school, so it's physically secure.

I can sleep easy over Christmas now, knowing that my backups are safe.
:high5:

Quote:

---

Originally Posted by NickJones

We recently bought a Buffalo Linkstation Pro, and that has AD integration on it - simply hook it up to the (it even hunted out our DHCP server itself) go into the management interface on it and join it to the domain, then from the management interface again, create a new share on it and assign permissions. Works a treat.

---

Thanks, Nick.

I know that AD integration for Linux-based storage boxes has improved a lot recently. Next time I buy one I'll check more thoroughly.

Make sure you get the LinkStation Pro, as the non-Pro model doesn't have the AD integration.

I have the same problem as you from my Vista PC, no real concern though as it is only me that with Vista, so I just VNC onto the server when I want to access the NAS.

Quote:

---

Originally Posted by Michael

Apply these policies:

Admin Templates > Windows Components > Windows Explorer -
No "Computers Near Me" in My Network Places (Enabled)
No "Entire Network" in My Network Places (Enabled)

Admin Templates > Desktop -
Hide My Network Places on Desktop (Enabled)

These three policies should do the trick :)

---

Michael,

I've already got these set. They prevent network browsing by other methods, but still allow it through browsing the start menu folder.

I suppose that disabling the Windows Explorer context menu would prevent this, but I wanted to avoid doing that.

Thanks anyway.

@mark - looking at the time of your post, you should enable your sleep option! How do you do it? :D

I found this post @ MajorGeeks.com,

It helped me sort out a few Terastation issues.....

The link provided was the key for me (http://buffalo.nas-central.org/index...tive_Directory). I did find some ambiguities in the directions provided by the link. I was able to arrive at the correct configuration, but thought these written steps might help:

1. Basic tab of TeraStation (TS):
a. Set name
b. Date: set time zone (for me, GMT -5.00; Enable NTP, default NTP server is fine.
c. TS does not have a setting for DST. This is OK. During summer, TS time will appear off by precisely 1hour. This is expected, and OK.
2. Network IP Address Properties – set fixed IP address. DNS server must be that of AD.
3. TS must be on same network segment as AD domain controller.
4. Create AD service account for TerraStation (Windows 2003, AD)
a. Password cannot contain special characters
b. Account must be member of Administrators Group
5. DNS: create A and PTR records for the TS
6. Create a computer account for the TerraStation (Windows 2003, AD).
a. Computer name
b. Do not select “Assign this computer account as a pre-Windows 2003 computer”
c. Do not select “Assign this computer account as a backup domain controller”
d. After computer account is created, examine properties page; Delegation tab. Select “Trust this computer for delegation to any service (Kerberos only).
7. Now join to Active Directory on the TS: Network; Workgroup / Domain
a. Network type: Active Directory
b. Complete AD NetBIOS name; DNS name; DC name, TeraStation service account name and password.
c. WINS is not required!! This will work just fine without WINS.
d. Local user authorization settings: I selected the option “Allow” local user authorization. Not sure all the security implications with the TS, but do not want to risk loosing access to the device via its local administrator account.
8. when done, click the Apply.

There are a number of posts that indicate that time is critical - that is true.

In my case the problem was the password of the service account. Complex passwords are required, and our convention is to use special characters. The Terastation does not work with passwords that include special characters.

---------------------------
There are some new issues concerning the SMB signing used in 2008 & 2008R2 that seem to be causing problems for Domain Admins. Buffalo are working on a fix but seem to be stuck at present hence there seems to be a bit of a switch to promoting iSCSI instead!

Personally I have had no issues integrating them into AD on 2003 server so far using the above notes.

Hope it helps some geeks..

You might want to edit that link you included m25man :)

Ta.