What are best practices for enhancing NAS security?
Applicable Products
All NAS series
Best Practices
The highest security risks to a NAS are malware/ransomware threats from the internet. To prevent malware infection or other attacks, QNAP strongly recommends securing your QNAP NAS and routers by following these best practices:
Don't expose the NAS to the internet
- Disable port forwarding on your router.
- Log in to the management interface of your router
- Check the Virtual Server, NAT or Port Forwarding settings, and disable the port forwarding setting of NAS management service port (port 8080 and 443 by default).
- Disable Auto Router Configuration
- Open myQNAPcloud.
- Disable UPnP port forwarding.
- Go to Auto Router Configuration.
- Deselect Enable UPnP Port forwarding.
Remotely connect using myQNAPcloud Link or QVPN Service
- For more information on using myQNAPcloud, visit https://support.myqnapcloud.com/
- For more information on QVPN Service, read How to set up and use QVPN.
After disabling Port forwarding, the NAS is still accessible through myQNAPcloud link or QVPN Service. Connect to the NAS using myQNAPcloud Link.
- Log in to QTS, QuTS hero, or QuTScloud as an administrator.
- Open myQNAPcloud.
- Register your device with myQNAPcloud.
- Click Overview.
- Click Get Started and follow the steps to register your device.
- Enable DDNS.
- Go to My DDNS.
- Click the toggle button to enable My DDNS.
- Do not publish your NAS services.
- Go to Published Services.
- Deselect all items under Publish.
- Click Apply.
- Configure myQNAPcloud Link to enable secure remote access to your NAS via SmartURL.
- Go to myQNAPcloud Link.
- Click Install to install myQNAPcloud Link on your NAS.
- Click the toggle button to enable myQNAPcloud Link.
- Restrict who can remotely access your NAS via the SmartURL.
- Go to Access Control.
- Next to Device access controls, select Private or Customized. Note
- Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL.
- Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL.
- If you selected Customized, click Add and specify a QNAP ID to invite the user.
- Open App Center.
- Search for QVPN Service.
- Click Install.
Update the NAS firmware to the latest version
- Log in to QTS, QuTS hero, or QuTScloud as an administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
- QTS, QuTS hero or QuTScloud downloads and installs the latest available update. TipYou can also download the latest firmware for your NAS from https://www.qnap.com/en/download. This firmware can then be manually installed on your device.
- QTS, QuTS hero or QuTScloud downloads and installs the latest available update.
- Under Auto Update,
- Enable Recommended version.
- Click Apply.
- The system will periodically check for new updates and install the firmware automatically.
Update all applications on the NAS to their latest versions
- Log on to QTS, QuTS hero, or QuTScloud as an administrator.
- Open App Center.
- Update applications.
- Locate Install Updates in the top-right corner of the window. Click All.
- A confirmation message appears. Click OK.
- QTS, QuTS hero, or QuTScloud installs the latest versions of all applications.
- Enable Auto Update
- Click Settings
.
- Go to Update
- Pick Install all updates automatically and Enable the item.
- Click Apply.
- Click Settings
Apply strong passwords for all user accounts on the NAS
QNAP recommends using strong passwords that:
- Are at least 8 characters in length
- Include both uppercase and lowercase characters
- Include at least one number and one special character
- Do not contain the username or the username reversed
- Do not repeat the same character three or more times
Change the admin password
- Log on to QTS, QuTS hero, or QuTScloud as an administrator.
- Click the profile picture on the QTS Taskbar. The Options window opens.
- Click Change Password.
- Enter the current password.
- Enter a new password.
- Remove unnecessary user accounts and applications
- Verify the new password.
- Click Apply.
Change user passwords
- Open the Control Panel
- Go to Privilege > Users.
- Select a user.
- Click Change Password. The Change Password window appears.
- Enter the current password.
- Enter a new password.
- Verify the new password.
- Click Apply.
- Repeat the above steps for other users.
Remove unnecessary user accounts and applications
Remove unnecessary or unknown user accounts.
- Open the Control Panel.
- Go to Privilege > Users. A list of the NAS users is displayed.
- Delete any user accounts that are no longer required, or any user accounts that you do not recognize.
Remove unknown or suspicious applications
- Open the App Center.
- Go to My Apps A list of your apps is displayed.
- Disable or remove any apps that you do not recognize.
Leverage security applications
Use the latest version of Malware Remover.
- Open the App Center.
- Search for "Malware Remover".
- Click Install.
- Open Malware Remover.
- Click Start Scan.
Install QuFirewall.
- Open the App Center.
- Search for "QuFirewall".
- Click Install.
- Open and enable QuFirewall.
Avoid opening default port numbers to the internet
If the NAS is directly connected to the Internet (for example, via PPPoE, static external IP address, or a router in DMZ mode), change the system port number in QTS.
- Open the Control Panel.
- Go to System > General Settings > System Administration.
- Specify a new system port number.WarningThe following ports are default system ports that should not be used: 443, 8080, 8081, 80.
- Click Apply.
If your NAS is behind a router but is connected to the Internet through port forwarding, specify a new port number on the router. Do not use 443, 80, 8080 or 8081.
Take snapshots and back up regularly to protect your data
Note: Snapshots require at least one storage pool, and one volume.
- Open the Control Panel.
- Go to Storage & Snapshots > Storage > Storage/Snapshots.
- Select a volume.
- Select Snapshot Manager in the Menu of Snapshot.
- Click Schedule Snapshot and Enable schedule.
Subscribe to the QNAP Security Advisory newsletter
You can attain up-to-date security information by subscribing to our Security Advisory newsletter.
- Signup for Security Advisory Newsletter
- A confirmation email is sent to your email address. If you do not receive this email, check your spam/bulk email folder.
- Click the link in the email to confirm that you want to receive emails from QNAP.