Feature request: direct SMB share as target

Posts: 5 · alefello 16 Nov 2022, 13:37

Hello
I want to know how to copy the files to a NAS folder shared with username and password without saving them in windows.
I want the network share (preferabilly SMB but NFS is ok too) to be accessible only by freefilesync (i.e. saving username and password inside the software settings) but not from the underlying windows os/user
Thank you
Best regards

Posts: 943 · therube 16 Nov 2022, 19:57

(I don't know about such things, but...)

What if you connected to the share, normally (even starting from a command line), ran FFS, then disconnected the share?

So something like:

NET USE \\NAS /u:alefello
(which would prompt you for your password)
FreeFileSync.exe
(do what you need)
NET USE \\NAS /delete
(which would delete the share [& login] - theoretically)

(I don't know about such things, but...)

I'll leave it at that, as there seems to be some sort of caching or something going on, where I can still access the share even after the /delete.

Posts: 5 · alefello 16 Nov 2022, 20:21

(I don't know about such things, but...)

What if you connected to the share, normally (even starting from a command line), ran FFS, then disconnected the share?

So something like:

NET USE \\NAS /u:alefello
(which would prompt you for your password)
FreeFileSync.exe
(do what you need)
NET USE \\NAS /delete
(which would delete the share [& login] - theoretically)

(I don't know about such things, but...)
I'll leave it at that, as there seems to be some sort of caching or something going on, where I can still access the share even after the /delete. therube, 16 Nov 2022, 19:57

I thought about a similar thing but it has some problems:
- I need to use that in a scheduled batch ffs task, and it's not easy to mount shares with password in batch and then delete then removing the cached password
- in the meantime the ffs process is running, the mapped drive is accessible from every other process, so a ransomware could access it during the backup task, which can be veeeeeery long if the drive has already been partially encrypted and there are many GB to tranfer to the network share

Posts: 943 · therube 16 Nov 2022, 21:37

Disconnect Internet (but leave LAN active) during the backup period.
(Then reconnect.)

If the NAS doesn't actually need to be net facing, block it from the Internet.
(I did that on my end. Actually, I blocked the net from the NAS - mostly.)

Keep your NAS up to date.
(I found that out the hard way ;-).)

Posts: 2283 · Plerry 17 Nov 2022, 08:48

The best thing to do, is to create your FFS Scheduled Task to be run under dedicated user credentials.
See here.
And only that dedicated user (or the credentials stored for that user in the Credential manager for your NAS LAN location) should have access to the NAS share.
Obviously, you need to trust the Windows Credential Manager ...

Posts: 5 · alefello 17 Nov 2022, 09:40

Disconnect Internet (but leave LAN active) during the backup period.
(Then reconnect.)

If the NAS doesn't actually need to be net facing, block it from the Internet.
(I did that on my end. Actually, I blocked the net from the NAS - mostly.)

Keep your NAS up to date.
(I found that out the hard way ;-).) therube, 16 Nov 2022, 21:37

This is just a little impossible. It's a batch process that runs every night at 3:00 AM, on a SERVER, and to protect from a ransomware/virus.
How can I disconnect the server from Internet every night at 3.00 AM, an alarm clock?
Why should I disconnect a server (that is intended to provide services over the internet too) from internet only to do a backup?
What suggests you that the rasomware/virus works only in the time the server is connected to the internet, and if I got it before, it goes to sleep in the moment I disconnect the server from the internet?
The NAS is actually protected from the internet by a firewall, no services are available from outside, and it's always up to date, but I suspect the NAS will not be the weak link when coming to a virus/ransomware attack, but the PCs and servers in the same network.

The best thing to do, is to create your FFS Scheduled Task to be run under dedicated user credentials.
See here.
And only that dedicated user (or the credentials stored for that user in the Credential manager for your NAS LAN location) should have access to the NAS share.
Obviously, you need to trust the Windows Credential Manager ... Plerry, 17 Nov 2022, 08:48

Ok thank you. Why do you discard the FTP possibility in favour of the "SMB with another user" possibility?

Posts: 2283 · Plerry 17 Nov 2022, 09:58

> Why do you discard the FTP possibility in favour of the "SMB with another user" possibility?

I don't mention FTP or SMB.
Either one should work, assuming your NAS supports the protocol.
It should also not make any difference for the Credential Manager, as those credentials are used per top-level network location (IP-address), irrespective of protocol.
However, my personal preference is for SMB, as FTP does not or seldom preserve file-dates, while SMB does.

Posts: 943 · therube 17 Nov 2022, 17:47

but I suspect the NAS will not be the weak link when coming to a virus/ransomware attack

That is not necessarily the case.
There certainly are attacks directly against NAS devices.

https://threatpost.com/ech0raix-ransomware-variant-qnap-synology-nas-devices/168516/
https://www.reddit.com/r/synology/comments/v3kffx/synology_nas_hit_with_ransomware/
https://kb.synology.com/en-us/DSM/tutorial/How_to_add_extra_security_to_your_Synology_NAS

A NAS can be ransomed without the PC's being affected at all.
(And vice versa, of course.)

That you are up to date is good.