EX4: safety and remote control issues

I apologize in advance for my bad English.

Follows several problems (rather critical) that we found (during days of testing) with our EX4: we do not have special needs, but to access directly to the NAS (without the mediation of other software) and manage all of its content according to the authorizations set and the assurance of an adequate implementation of security levels.

Points A to C are mainly problems; D includes suggestions.


A)  Security

The following are critical issues about accesses to the NAS that are performed by computers which can be:

-     of third parties;

-     of mixed use;

-     not systematically overlooked.

1)   Regarding credentials and login:

a)   the dashboard should allow the system administrator (not to simple users) to enable / disable the checkbox “remember me” in login (the best thing would be the possibility to set on/off this checkbox for each user, but it is not essential);

b)   similarly to the point 1, WD MyCloud should not “remember” user and password (the password for opening the software may be enough at the home level, but not at the professional level);

c)   the application (WD MyCloud) should use the dashboard users (the need to use e-mail may be fine to activate the application, the first time, but then has no reason to be used) and, above all, the same passwords set in the NAS (it is useless that the administrator sets complex passwords if users can set “foo”);

at least, it would be well define the minimum requirements of the password to be set (length and type of characters that must be present);

2)   after the last firmware update (1.4.05), and the reboot of the NAS, the access restrictions (that have been set for various directories) seemed to be correct in the dashboard, but users can manipulate folders for which they did not have permission (in particular they can save and delete files in the read-only directories);

the problem has been solved (so it seems) by setting the permissions from scratch (just as they were already);

3)   we have observed that the link of a user persists even after a network connection loss: in these cases users should be forced to re-authenticate manually (otherwise you have a weak point of security, since the user might not have way to wait for the network reconnection and then to logout);

4)   the connection timeout does not apply to the link of a user by LAN; this has the same security issues referred to in the preceding paragraph.

With regard to points 3 and 4 (automatic reconnection and timeout for LAN), these could possibly be considered as a feature that can be enabled/disabled via the dashboard.

B)  Reliability and Control

1)   using the port-forwarding and avoiding the use of WD My Cloud, with the remote connection is impossible to: upload, download and open files (for all directories, even for “Public”) by all users (of course authorized in reading and writing), except for the administrator;

the problem:

a)   occasionally and temporarily it seems to be solvable by setting each time the permissions ex novo (just like they already are… ); the issue is similar to point 2 of A;

b)   is also sensitive because it should not be mandatory the use the WD My Cloud for remote access, both on account of the issues of safety in point 1 A, and because if we have to give to a customer the access to the NAS , is inappropriate that the customer have to communicate his e-mail to third party;

2)   Public directory have to be deletable (or at least settable to read-only): frankly we do not find reasonable that users can access a directory (uncontrolled by the system administrator) with open access and where they can upload files at will (and this problem cannot be solved with quotas).

The forced existence of the Public folder prevents us from providing access to the NAS to our customers (and this would be one of the reasons why we bought the NAS); this is because we cannot prevent that in this folder will be uploaded:

-     reserved files (dangerous error that may be considered a security issue);

-     infected files (even if in good faith);    

-     unseemly files (because funny guys are always on duty, and for some customer this may not be acceptable).

C)   Practicality

1)   with remote connection to the dashboard, for all users (except for the administrator) the line of the “path” in the web viewer is not updated (and forces you to restart the web viewer to jump to parent directories);

2)   you cannot associate to groups access permissions of directories (the permissions can only be associated to users);

in case of multiple users, authorization levels and folders, this greatly complicates the work (and in practice makes groups useless at the dashboard interface);

3)   remote upload of files blocks the navigation (via dashboard): if you try to close the upload window, the NAS warns that if we proceed the operation will be interrupted; the upload should proceed in background.

D)  Functionality

1)   notification; it would be:

  •     particularly useful to notify (to predefined users) the upload of files in a particular directories;

I highlight that this would be important also for standards such as ISO 16175 (for document management systems);

-     useful to notify (to predefined users) downloads (or access to the NAS) of certain users;

2)   power supply programming; it would be useful to be able to program the shutoff of the NAS at least in two hour bands (with the current slider you can set a single switchoff);

it would be helpful if new versions of NAS could control the power supply of an external device, in order to manage it by programming its power supply (it could for example be used to turn on / off the router to which the NAS is connected).

With regard

It’s a long post, so I only read the first couple points and wanted to just post my views on them - I might read the rest later and may (or may not) share thoughts if I have any.

Andrea_IT wrote:


1)   Regarding credentials and login:


a)   the dashboard should allow the system administrator (not to simple users) to enable / disable the checkbox “remember me” in login (the best thing would be the possibility to set on/off this checkbox for each user, but it is not essential);


b)   similarly to the point 1, WD MyCloud should not “remember” user and password (the password for opening the software may be enough at the home level, but not at the professional level);



The first and second item are convenience features that many people want - and yes, they can be security risks if you are in a corporate environment…but in that case it could be as simple as a matter of training and policy in your organization to not to checkthat checkbox…that takes care of the issue. Your needs cannot dictate over the needs of other users who do find having that feature convenient. If something in design doesn’t meet your requirements, then unless it affects a wide range of users, the only option is to find a workaround rather than hope and wait for a fix - and in this case the workaround would be to have a company policy. I personally like having the remember me checkbox the way it is.

I understand the need for home users, in fact I hope that the various “remember me” can be turned off as an option :smiley:.

At present, the absence of this option constitutes a weak point of security, which, however, should not be difficult to solve.

Furthermore, it should be considered that a security system based only on procedures and recommendations (and not on “physical” constraints) practically is not a security system.

Thanks for your time

The WD MyCloud EX4 is marketed and sold as prosumer unit.   WD does sell a enterprise version of this under the Sentinel branded product 


Please select the correct product for your business needs.  

WD includes the EX4 between the products for small offices, and that’s what we are.

We bought the EX4 because it nominally answer to our needs, and for us WD is / was a trusty mark, so we thought of going on the safe side (we have a dozen or VelociRaptor and are as much reliable as performant).

On the other hand here in Italy is not easy to find this kind of products in stock (and we had some urgency).

That there may be products better than EX4 (although only with respect to our needs) is obvious, but I do not think that this matters much: the question is what does or does not do the EX4 compared to what one might reasonably expect from the product.

The desires are desires, of course, but the gaps are gaps, and the bugs are bugs. I do not think that our observations are out of place for prosumers (they are professional users indeed, aren’t they?): I suppose that even a freelance photographer (just to mention a professional) could easily have our needs (and could easily found the same flaws in EX4) :dizzy_face:

Prosumers are a term to describe enthusiast consumers…those looking for higher end stuff than regular consumer-grade stuff. prosumers do not imply professional users. So for the home user, that particular security concern isn’t an important one. The EX4 (and EX2) does straddle the line between enthusiast home use and small business use…and that is where design choices like these that can impact security can have divergent views between the home user and professional user.