I apologize in advance for my bad English.
Follows several problems (rather critical) that we found (during days of testing) with our EX4: we do not have special needs, but to access directly to the NAS (without the mediation of other software) and manage all of its content according to the authorizations set and the assurance of an adequate implementation of security levels.
Points A to C are mainly problems; D includes suggestions.
The following are critical issues about accesses to the NAS that are performed by computers which can be:
- of third parties;
- of mixed use;
- not systematically overlooked.
1) Regarding credentials and login:
a) the dashboard should allow the system administrator (not to simple users) to enable / disable the checkbox “remember me” in login (the best thing would be the possibility to set on/off this checkbox for each user, but it is not essential);
b) similarly to the point 1, WD MyCloud should not “remember” user and password (the password for opening the software may be enough at the home level, but not at the professional level);
c) the application (WD MyCloud) should use the dashboard users (the need to use e-mail may be fine to activate the application, the first time, but then has no reason to be used) and, above all, the same passwords set in the NAS (it is useless that the administrator sets complex passwords if users can set “foo”);
at least, it would be well define the minimum requirements of the password to be set (length and type of characters that must be present);
2) after the last firmware update (1.4.05), and the reboot of the NAS, the access restrictions (that have been set for various directories) seemed to be correct in the dashboard, but users can manipulate folders for which they did not have permission (in particular they can save and delete files in the read-only directories);
the problem has been solved (so it seems) by setting the permissions from scratch (just as they were already);
3) we have observed that the link of a user persists even after a network connection loss: in these cases users should be forced to re-authenticate manually (otherwise you have a weak point of security, since the user might not have way to wait for the network reconnection and then to logout);
4) the connection timeout does not apply to the link of a user by LAN; this has the same security issues referred to in the preceding paragraph.
With regard to points 3 and 4 (automatic reconnection and timeout for LAN), these could possibly be considered as a feature that can be enabled/disabled via the dashboard.
B) Reliability and Control
1) using the port-forwarding and avoiding the use of WD My Cloud, with the remote connection is impossible to: upload, download and open files (for all directories, even for “Public”) by all users (of course authorized in reading and writing), except for the administrator;
a) occasionally and temporarily it seems to be solvable by setting each time the permissions ex novo (just like they already are… ); the issue is similar to point 2 of A;
b) is also sensitive because it should not be mandatory the use the WD My Cloud for remote access, both on account of the issues of safety in point 1 A, and because if we have to give to a customer the access to the NAS , is inappropriate that the customer have to communicate his e-mail to third party;
2) Public directory have to be deletable (or at least settable to read-only): frankly we do not find reasonable that users can access a directory (uncontrolled by the system administrator) with open access and where they can upload files at will (and this problem cannot be solved with quotas).
The forced existence of the Public folder prevents us from providing access to the NAS to our customers (and this would be one of the reasons why we bought the NAS); this is because we cannot prevent that in this folder will be uploaded:
- reserved files (dangerous error that may be considered a security issue);
- infected files (even if in good faith);
- unseemly files (because funny guys are always on duty, and for some customer this may not be acceptable).
1) with remote connection to the dashboard, for all users (except for the administrator) the line of the “path” in the web viewer is not updated (and forces you to restart the web viewer to jump to parent directories);
2) you cannot associate to groups access permissions of directories (the permissions can only be associated to users);
in case of multiple users, authorization levels and folders, this greatly complicates the work (and in practice makes groups useless at the dashboard interface);
3) remote upload of files blocks the navigation (via dashboard): if you try to close the upload window, the NAS warns that if we proceed the operation will be interrupted; the upload should proceed in background.
1) notification; it would be:
- particularly useful to notify (to predefined users) the upload of files in a particular directories;
I highlight that this would be important also for standards such as ISO 16175 (for document management systems);
- useful to notify (to predefined users) downloads (or access to the NAS) of certain users;
2) power supply programming; it would be useful to be able to program the shutoff of the NAS at least in two hour bands (with the current slider you can set a single switchoff);
it would be helpful if new versions of NAS could control the power supply of an external device, in order to manage it by programming its power supply (it could for example be used to turn on / off the router to which the NAS is connected).