Synology Hardening

Synology Hardening

Synology Hardening steps to change the default settings to improve security on a Synology NAS. 

Synology Hardening

Synology DSM 6.1 hardening settings:

Using the  Security Advisor:

Install and run the Synology Security Advisor and consider changing the advised mentioned settings. 

Control Panel:
Control Panel, Update & Restore, DSM Update:
  • Update Settings. Change the settings accordingly with in mind that security fixes are applied as soon a possible. 
Control Panel, user:
  • make a new user with full administrative rights, test this new user and disable admin. 
  • Advanced, Password Settings, Select Allow non-administrator users to reset forgotten passwords via email. 
  • Avanced, Password Settings, Apply password strength rules, select;
    • Exclude name and description of user from password. 
    • Include mixed case
    • Include numeric characters
    • Include special characters
    • Exclude common password
    • Minimal password length: 8
    • Password history (times): 1
  • Advanced,Password Expiration, select;
    • Enable password expiration 
    • Maximum password valid duration (days): 183 (except administrator users). Check administrator user Password is always valid. Manually change this password regularly. 
    • Minimum password valid duration (days): 1
    • Prompt users to change password upon login before expiration (days): 14
    • Send expiration notification emails; sent at 12:00, Days before the expiration; 14,10,5,3,2,1 
  • Advanced, 2-Step Verification,
    • Enforce 2-step verification for the following users, all users
Control Panel, Terminal & SNMP, Terminal:
  • (in case) SSH service, advanced settings, High
Control Panel, Security, Security:
  • Improve protection against cross-site request forgery attacks
  • Improve security with HTTP Content Security Policy (CSP) header.
  • Do not allow DSM to be embedded with iFrame.
  • Clear all saved user login sessions upon system restart. 
Control Panel, Security,Firewall:
  • consider enabling firewall which depends on the IT infrastructure. Firewall rules can be enabled for VPN services which can improve security or protect a access for Hyperbackup. This can be implemented with an allow and deny rule for certain services. 
Control Panel, Security, Protection:
  • consider enable DoS protection depending on your IT infrastructure. 
Control Panel, Security,Account, Auto Block:
  • select Enable auto block, login attempts: 10, Within (minutes): 5. Enable block expiration, Unblock after (days): 1. Consider using an allow/block list. 
Control Panel, Security, Account, Enable Account Protection, Untrusted Clients:
  • login attempts:5
  • Within (minutes):1
  • Cancel account protection (minutes later):30 
Control Panel, Security, Account, Account Protection, Trusted clients:
  •  Login attempts:10
  • Within (minutes):1
  • Unblock (minutes later):30 
Control Panel, security, advanced, TLS/ SSL Cipher Suites:
  • Select Modern compatibility 
Control Panel, Network, DSM settings,
  • Selecteer Automatically redirect HTTP connections to HTTPS ( Web Station and Photo Station excluded ). 
Webbrowser:
  • Enable browser's incognito mode or using guest browsing feature when accessing Synology NAS with a public computer