Does anyone on my network have access to...everything?

My Cloud OS 3 Personal & Network Attached Storage My Cloud
1

I am new to both NAS and personal cloud, which are also the reasons why i bought an easy set-up WD My Cloud.

I have a question regarding security: Does any device on my network have access to all folders on the WD My Cloud?

The reason i’m asking is this: I currently  only have one user (me) on the My Cloud and the setup is done on the connected PC (wire-router-WD-My Cloud). I downloaded  the My Cloud App for my iPad and immediately i had access to everything… No code or anything was needed. I tried with my daughters iPad and same thing. My Cloud registers anything on the network as being me, i.e. anyone with the app coming to my house would have access to My Cloud.

How do i limit this?

2

A bit more info:

Apparently if there is only one user on the WD My Cloud it assumes that all devices on the network is for nthis user and grants the devices full access…

3

Have you turned all the folders to private(except the public thats not changable). By default all shares, and when you make new shares are set to public use. After you make the new share you will see under the name you gave it a little switch to turn it from public to private. THEN you have to go down and grant access to yourself and anyone else that you want to see the folders. 

4

Damun wrote:

The reason i’m asking is this: I currently  only have one user (me) on the My Cloud and the setup is done on the connected PC (wire-router-WD-My Cloud). I downloaded  the My Cloud App for my iPad and immediately i had access to everything… No code or anything was needed.

Did you password-protect that user?

5

@sxc7885 That was the first thing i did.

@TonyPh12345: This is a “solution”. However, i still think that granting a device access to My Cloud should require a code of some kind, even if it is accessing My Cloud from my network.

Just to sum up:

  • If you only have one user set up on the My Cloud, then all devices that are on the network will be treated as they belong to that user and access is granted to everything, without the request for any code.

  • Creating a second user would promt you to choose which user you would “log in as” when accessing My CLoud via “cloud access” from iPad or iPhone, but if i choose my user (myself) i would still have access to everything

  • Password protecting a user (myself) would require a password from a wireless device, but only if i delete it from the list of cloud devices first and reconnect again

It seems that once you have been granted acces on a device (it is listed under user’s cloud devices, you will have access allways, even if you password protect that user later (i.e. after you have added a device).

My concern is still that, anyone with acces to my network would automatically have unlimited acces to My Cloud. The “code” thing only works for devices that are not on your network (i.e. from internet). Once someone is on your network, and has the My Cloud App, he or she will not need a code to access My Cloud.

Now i have a password on my user, so at least some protection. And, yes, my network is also protected.
In my opinion this this is a big flaw on this drive.A code should be required for all devices, period!

Please correct me if i am wrong or if i have missed something, and sorry for the lengthy post…

6

I understand your logic, albeit circular.

If you have no password on your account, then you’re implicitly permitting anyone access to your drive.

The Cloud App isn’t the only thing that would be permissive.  Anyone that had access to your WiFi network could also connect to it via Samba, for example (using apps like File Browser) and whatnot.  Chances are, unless you’ve explicitly configured your PC shares to require passwordst, the same users could also access your printers and network shares on your PC.

Yes, I agree that if you change an account from password-less to password-protected that the cloud should enforce re-authentication.   

But there should be no need to enforce password changes if you change the password on the Cloud.  The cloud already gives you the ability to selectively de-authorize specific devices in such a case.

Damun wrote:

  • Password protecting a user (myself) would require a password from a wireless device, but only if i delete it from the list of cloud devices first and reconnect again

It can be done either way… the mobile user can remove the device from the NAS list, or you can remove the mobile device from the NAS’s device list.

Damun wrote:

My concern is still that, anyone with acces to my network would automatically have unlimited acces to My Cloud. The “code” thing only works for devices that are not on your network (i.e. from internet). Once someone is on your network, and has the My Cloud App, he or she will not need a code to access My Cloud.

Not for un-authorized devices.  Someone new getting access to your WiFi network, as long as your account is password protected, would need the password (or a MAK code) to access the drive.

Damun wrote:

…this is a big flaw on this drive.A code should be required for all devices, period!

I think this is a “Belt, Suspenders, and Super-glue” approach, but that’s OK…   

I think of it the other way.  You, as the owner, are responsible for the drive’s security.  It provides you mechanisms to do that, which you are not (or previously were not) using.

If you’ve password-protected your user account(s), then you’re already secure.