Default security settings for new users who have no background in networking nor security

[consideringTrueNAS]

Hi, I read that some NAS have many security issues such as ransomware because by default, settings which lead to high security are not set as companies let the users to do the job. However, a lot of users have no background in networking nor security. This leads to lots of security issues. Somewhere I also read that this happens to both turnkey and opensource NAS. How is the situation with TrueNAS? Is it possible to have options so that if users choose the most secured option, related settings are automatically set by default?

 

[sretalla]

this happens to both turnkey and opensource NAS. How is the situation with TrueNAS? Is it possible to have options so that if users choose the most secured option, related settings are automatically set by default?

I don't think there's a clear way to answer the questions, but I'll make the following comments in the direction of an answer.

TrueNAS provides a GUI and API framework that make configuring NAS features possible through the provided user interface (and for other scripts and software via the API).

This assumes some level of knowledge/understanding of either UNIX or Windows (or both in some cases) permissions and ACLs in order to correctly pull the right levers in the GUI to produce a share that grants the desired access.

The sheer number of posts/threads you'll find here with folks who are struggling just to get basic access to their own data over a share indicate that the defaults must at least be a little "safe".

I don't think TrueNAS inappropriately simplifies things to result in overly permissive settings by default, but it sure is possible that folks will (perhaps out of frustration with not understanding what they are doing and not getting the desired result) set wide open permissions on shares.

 

[Ericloewe]

I'll add that much of the threat surface is secondary, i.e. available only to an intruder already on the network.
That applies as long as users don't do stupid things like expose the WebGUI to the Internet.

 

[Patrick M. Hausen]

Adding to that TrueNAS is not a network appliance. You should never connect it to the Internet with access from outside. But that is completely out of TrueNAS' scope and a matter of your router/firewall configuration.

 

[consideringTrueNAS]

Is it possible for somebody who knows TrueNAS well to create a document on what settings to change to make the system at the highest security level (i.e. no access from outside the home network, the only allowable interaction with the internet is to upgrade the software)?

Alternatively, is it possible for developers to include this as one of the default settings so that people who don't know networking nor security can just choose that option and have the settings automatically applied to the system?

 

[danb35]

Is it possible for somebody who knows TrueNAS well to create a document on what settings to change to make the system at the highest security level (i.e. no access from outside the home network, the only allowable interaction with the internet is to upgrade the software)?

No, it really isn't, as neither of these things can be controlled by the NAS itself--that would be the job of your edge device, as Patrick already said. Now, the default configuration for the vast majority of home (and even SMB) routers is going to block outside access to the NAS, so that's half of your suggestion solved without really needing to do anything. But the other is going to be trickier to arrange.

 

[consideringTrueNAS]

Hello, could you please let me know how to make a home TrueNAS system invisible from the internet? I don't need to access it from outside home network. Just need to download or upgrade system files. Do the default settings upon installation of TrueNAS do these automatically? Thank you.

 

[danb35]

As with your previous questions, this is something that'd be addressed with your router/firewall, not with TrueNAS.

 

[Davvo]

Hello, could you please let me know how to make a home TrueNAS system invisible from the internet? I don't need to access it from outside home network. Just need to download or upgrade system files. Do the default settings upon installation of TrueNAS do these automatically? Thank you.

Just don't expose it to the internet, meaning don't open ports on your firewall (modem).
There were a few posts about network security on the forum but I can't remember the thread, maybe it was about the security of a vLAN vs phisically separated connections.
Proper practice would regard your entite network, not just TN, and would likely mean:

• Isolate the TN system from all the IoT you have in your house (smart bulbs, home assistants, etc) since they have been proved to be an issue.
• Don't expose the TN system to the network outside of your firewall (don't open ports on your modem).
• Require a username and a password in order to see the shared datasets (aka don't use anonymous user in SMB or similar).
• Given each user the permissions they need, not complete control.
• Don't make script executing possibile in the datasets you share (and for the non-root users).
• Use a unique, strong password for the root account (and maybe consider 2FA).
• Have offline or cloud backups, as well as a solid snapshot scheduling.
• If you use services like SSH, consider changing the default port.

I think that for a home user without any networking knowledge this should be enough.
If we are talking about business it's another topic (as well as budget).
Also, all of this was without talks about encryption, VPNs and similar.

Anyway, the default (clean install) TN configuration doesn't expose it to any risks beyond yourself.

Please do note that I'm no professional.