Security hole with shares?

I’ve plugged in my passport USB drive into the back of my My Cloud.  A share called My_Passport was automatically created.  I’m using this USB drive solely for Safepoints.  I am unable to remove the My_Passport share, so I locked it down by turning off Public Access and assigning both users I created as “No Access”.  However, now any user is able to access the share via UNC and see any file in the share.  Since it’s a safepoint, essentially any user has access to any file on the NAS as of the last backup.

If I grant User A “No Access” and User B “Read” access, then User A is no longer able to access the folder.  However, if I switch User B “No Access” again, User A is able to access the share (despite still having “No Access”).  It seems like if all users are locked out of the share, some sort of failsafe is granting all users access.

So…  pretty big hole for me since I’d like to leave the drive connected for automatic backups, but I can’t do so without exposing all data to every user.

net use * /delete

wait a couple mins then try accessing again from file explorer

This isn’t a persistent share credential issue.  I can reproduce this from a new machine that has never talked to the NAS before.  My scenario:

User A and User B are password-protected accounts on the NAS.

Share A is a share that User A has full control of but User B has No Access to.

Share B is a share that User B has full control of but User A has No Access to.

My_Passport is a share created by the NAS when I plug my USB drive in.  I’ve set it to Public Access Off and User A and User B both to No Access.

Public is a share with Public Access On.

When I connect to my NAS via UNC from a computer that’s never authenticated to the NAS, I am able to access the Public share without being prompted for any credentials.  When I attempt to view Share A, Share B, or My_Passport, I am prompted for credentials and rejected if I do not provide them.  If I provide the credentials for User B, I am able to access Share B and My_Passport, even though My_Passport is set to No Access for User B.  Share A correctly rejects me since User B has No Access to Share A.