Basic security settings · NAS server · Secure your NAS

Synology 2019 Configuration Guide Part 4: Basic Security settings

In this blog post I will show you basic security settings that I highly recommend you to follow to increase the security of your files and NAS.

Before we get started, if you are still thinking about which synology to buy, check this guide instead: Synology 2019 Buying Guide, but if you are the happy owner of a new Synology, here is a guide on how to configure your brand new Synology!!

Here is the list of upcoming posts:

  1. Part 1: Install DSM in your Synology (operating system)
  2. Part 2: Configure your hard drives: Storage pool configuration
  3. Part 3: Upgrade your Synology RAM
  4. Part 4: Basic Security settings -this post
  5. Part 5: Move/copy files between NASes

Here is the list of the recommended security settings, the basic ones, I will do a part 2 for more advance settings like SSL and VPN.

Basic security settings for your NAS

Before starting moving files, or after in case you already moved them, here is the list of basic settings I recommend you configure in your NAS. I already have blog post on most of these, so I will link to them, but there are some new ones too.

  1. Enable 2-step authentication
  2. Disable guest and admin account
  3. Redirect connections to HTTPS (internal connection)
  4. Upgrade SSL profile level
  5. Change the default ports
  6. Keep your synology up-to-date

1. Enable 2-step authentication

I already have a blog post on it, so check it out here and come back for more 🙂

2. Disable guest and admin account

You are probably wondering why I am asking you to disable those accounts. Here is why, and it is specially true if you decide not to enable 2-step authentication: If somebody tries to hack your synology, they need to know two things: your username and your password. If you dont disable your username, they already have the username of at least two of your users (admin, and guest) and that way you are making it waaaaaaay to easy for them. If they want to hack your NAS, make it a bit cumbersome for them and they might leave you alone and look for an easier target 😉

Ok, now that we know why, lets see how:

  1. Control Panel
  2. Click on Users
  3. Now click on the user you want to disable, for example admin
  4. and click edit

disable user synology

That will take you to the next screen where you can disable those accounts.

disable admin guest synology

3. Redirect connections to HTTPS

You want all your data traffic to be secure right? To do that, redirect all your HTTP connections to HTTPS. Here is how you do it:

  1. Control Panel
  2. Click on Network
  3. Click on Automatically redirect HTTP to HTTPS

redirect internal communication to https.jpg

oh! Is it that easy? Well, …….no, unfortunately.

Once you change that, and your web server re-starts, you will be presented with this message on all browsers (see image below).

Did I brake your NAS? No, don’t worry, the browsers are only complaining about the SSL setting as you dont have a certificate for that address.

To get to your NAS, click on “Advance”:

browser warning connection not secure synology

And then “Proceed to….” and you will regain access to your NAS:

browser warning connection not secure synology advance settings

But Ruth, I don’t want to do this every time!!! Ok, ok, got you, to avoid that, just add your ip as a trusted site and you are good to go. Here is a link on how to do it for all browsers.

4. Upgrade SSL Profile level

If you have a new NAS, you probably have Modern compatibility chosen as SSL Profile level, but if your NAS is old, chances are high you have Intermediate.

This setting specifies which protocols are used when connecting through SSL. Here is a post on how to add SSL when connecting to your NAS. Modern compatibility allows only modern browsers (which are more secure). Here is how you change it:

  1. Control Panel
  2. Go to security
  3. On SSL profile level, change it to Model Compability
  4. OK.

Change SSL profile level

5. Change the default ports

Synology’s default ports to access your NAS are 5000 and 5001 and you should change them.

Why? Same reasons as step two: A hacker can find what ports you have open in your router, it is not that hard, but if you don’t have the default ports open, they will leave you alone as they are too lazy to scan your network and will move on to easier baits. So change them.

Here is how, go to:

  1. Control Panel
  2. Network
  3. Change the HTTP port
  4. Change the HTTPS port
  5. and apply

change default ports synology

and now you will have to re-add the ip to your browsers as you did in step 3.

6. Keep your synology up-to-date

Goes without saying right? But you have two ways to keep your Synology up to date: Manually or let the synology do the job for you.

Here is how your synology can update itself:

  1. Control Panel
  2. Update& Restore
  3. Update settings
  4. Click “Newest DSM and all updates”
  5. and “check for DSM updates automatically”

keep your synology up to date.jpg

and you are good to go for now.

We will continue with more advance settings on future posts, but if you dont want to wait for updated guides, check old guides here:

Secure your NAS (older posts)

On the next post, I will show you how to access your synology from outside your network. It is time to let our NAS fly!


4 thoughts on “Synology 2019 Configuration Guide Part 4: Basic Security settings

  1. Hi, this is all good advice. I did this and then tried to the Synology to use configure a Let’s Encrypt certificate. Let’s Encrypt’s validation server tries to connect to port 80 and it’s failing. I have port 8- NAT forwarded to the Synology and my firewall rules allow port 80 on the WAN and LAN for the Synology. It’s not logging any blocks.

    Do these changes affect Synology’s Let’s Encrypt client?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.