DSM Security: How to Protect Synology DS923+ NAS

Posted on Christian By Christian No Comments on DSM Security: How to Protect Synology DS923+ NAS
Protecting DS923 NAS

We will adhere to industry best practices in configuring and proffering steps for “DSM Security: How to Protect Synology DS923+ NAS”. To ensure the protection of your data and system on the Synology DS923+, it is crucial to implement security controls actively. Active security measures enhance the overall defense posture, guard against potential threats and vulnerabilities, and fortify the resilience of your Synology DS923+. Please see how to IP Address blocked on Synology NAS due to forgotten Password, and Step-by-step guide on how to set up the Synology DS923+ NAS.

Note: Documenting various ways to protect your Synology DS923+ is challenging due to the continuous nature of security. You must adapt security measures to meet your future needs.

Also, see how to “Fix Windows Can’t find the path: Please check the spelling and try again“, how to enable Secure Boot on PC to install Windows 11, and “Synology NAS brute-force attack: Employ Synology Best Practice to remediate StealthWorker Botnet attack“.

DSM Security: Protecting Synology DS923+ NAS

Securing your Synology DS923+ involves implementing a multi-layered approach to software security.

Run the Latest DSM Version

Ensure that your Synology DiskStation Manager (DSM) is running the latest version. Regularly updating your DSM allows you to leverage the most recent security patches, bug fixes, and enhancements provided by Synology, ensuring optimal performance and robust security for your system.

Note: During setup, you will have the opportunity to enable check for automatic updates.

DSM-version

If this is not the case already, access the DSM interface via the quick connect URL. In the DSM interface, navigate to the “Control Panel.” Within the Control Panel, locate and click on “Update & Restore” as shown above.

Next, click on Update Settings, and select the the recommended option to automatically install updates and fixed critical security issues and bugs.

Automatic-DSM-Update
DSM Security: How to Protect Synology DS923+ NAS

Enforce Strong Authentication

A strong password serves as the primary defence, acting as an impregnable wall safeguarding your data from unauthorised access.

On the flip side, the revelation that a majority of security breaches result from weak passwords is a strong reason to enable a robust password strategy in order to protect the data on your NAS.


To enhance the security of your NAS and protect its data effectively, employ a robust password strategy. Avoid using common words and opt for a non-word approach. Compose passwords with a combination of capital letters, numbers, and symbols, ensuring a minimum length of 12 characters. A password crafted in this manner virtually eliminates the possibility of being guessed, making a strong password the key to securing your NAS comprehensively.

This section will discuss how to enforce strong authentication for DSM access to utilise complex passwords and in the Next section, enable two-factor authentication (2FA) for an additional layer of security.

Here is how to Install Azure Storage Explorer on Windows, Video on how to Configure Data Deduplication on Windows Server, and What’s New? Install Windows Server 2025 and enable RDP.

Set Synology NAS Password Rules

To implement Password rules, launch the Control Panel.

Synology-Control-Panel

Locate the User and Group and select “Advanced”. Tick the Apply password strength rules checkbox. Tick or untick the following options according to your needs and click Apply when done.

Implement-Password-Policy

Note: Password strength rules only apply to new passwords. For example, new password strength rules are only applied when creating a new user account or when an existing user changes his password. Existing passwords and those belonging to imported user accounts are excluded from new password rules.

Enable 2-Factor authentication (2FA)

To further enhance the security of your NAS involves enabling 2-Factor Authentication for your DSM account. You can opt for either a mobile device for Approve sign-in or OTP (one-time verification code), or employ a hardware security key. 

By the way, this window was prompted again and I had to complete this step :-) Anyways, I would show you how to get to this place.
Enable-2FA
DSM Security: How to Protect Synology DS923+ NAS

I will recommend setting up 2-factor authentication (2FA) for your DSM account. By making a second identity verification step mandatory. You add an extra layer of protection to safeguard your account and create a barrier to hacking.

To Enable MFA, navigate to DSM > Personal as shown below

Personal

On the security Tab > click 2-Factor Authentication and Apply.

Select-2FA

Select Verification Code (OTP)

Note: OTP setup is mandatory if you’re using Synology mobile apps or utilities, because Approve sign-in and hardware security key support web login only. We also recommend setting up OTP as it works when there is no Internet service.

OTP

Enter your current password and click OK.

Verify-identity

Click Next to continue

Protect-DSM-account-with-2FA

Download Synology’s App “Secure SignIn” which is available on both Android and iOS devices for a seamless setup of 2-factor authentication. This robust security feature ensures an added layer of protection for your NAS, fortifying it against potential threats.

Scan-Code

You can scan to download and click Next

QR-code-to-download-app

Enter the verification

QR to enable OTP

Enter a backup email. This is relevant incase you lose your mobile device.

Backup-email

Click on Done to complete this 2FA process.

OTP-on-Synology-complete

As you can see below, we have successfully enabled 2-FA Authentication.

Second-Pactor-completed

Protect Synology Folder against Ransomware

Ransomware attacks are becoming increasing threat to both business and home users. This section will discuss steps to prevent ransomware prevention attacks and employ best practices.

Note: To ensure the security and integrity of your data. You will need to maintain an offline, encrypted backup, and regularly verify its restore capability. Adhere to the 3-2-1 backup strategy by storing a third set of data off-site or on the cloud, shielding your data against fire, natural disaster, or theft.. Establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for each platform, and conduct periodic disaster recovery tests to validate your preparedness.

I would recommend storing your backups to a Synology server at a secondary location to defend against physical disaster and replicate immutable snapshots for added ransomware protection. Alternatively, back up to any major cloud storage provider, keeping your data safe from unauthorized access through client-side AES-256 encryption.

Enable Immutable Snapshots

To prevent unauthorized changes to data and snapshots, we have to configure Immutability for our snapshots. To do this, click on the Main Menu as shown below.

Main-menu-Synology

Search for Snapshot Replication

Launch-Snapshot-Replication

On the “Optimize Replication Performance”, click OK as shown below.

Clik-OK

Select you folder which you wish to to protect with snapshot replication

Snapshot-replication

Enable the snapshot schedule and also enable the Immutable snapshots as shown below.

Schedule-for-Snapshot-replication

On the Retention Tab, enable the retention policy. As for me, I am fine with keeping the snapshots for 7 days. When done, click OK.

rentention-period

Click OK on the Advanced Tab as shown below.

Advanced-Snapshot-replication-setting

As you can see below, Snapshots outside the retention policy will now be deleted, click OK.

Agree-by-clicking-OK

As you can see, we have successfully configured Scheduled Replication and Enabled Immutability for our Snapshot.

Folder-snapshot-replication-scheduled

In case you wish to perform snapshot recovery, this can be done under the Recovery TAB. For other ways to protect your Synology DSM923+ NAS, please take a look at the Knowledge Center.

Want-to-perform-Snapshot-recovery

Create a User Group on Synology

In this section, we will create user accounts and groups to manage access control. Define permissions for shared folders. This will ensure secure data access for different users within your network.

Note: Creating a user group on Synology enhances system administration by simplifying user management and access control. User groups allow administrators to efficiently assign permissions, streamline user configurations, and ensure secure and organised data access. By creating user groups, administrators can optimize the management of users and their permissions on Synology, fostering a more structured and secure environment.

To perform everyday task, it is recommended to use a regular account. In this way, when the account is compromised, not much harm cannot be done and can likely be averted.

To create a Group on Synology, launch the Control Panel as shown below.

Synology-Control-Panel

Locate User and Group

click-on-User-and-Groups

Under Group, select Create as shown below. Enter the group information and click Next.

Group-Creation-Synology

If you already have a lot of users created you can select them from this lists. Since I am just showing you guys these steps, click Next.

No-User-Assignment-yet

Assign Shared Folder Permission to the Folders as you wish and click Next.

Assigned-Shared-folder-1

At this point, I am not interested in setting Group Quota. I will click Next.

Skip-Quota

Assign your desired Application permissions and click Next.

Assign-Application-Permission

I am not interested in the steps below, click Next.

Group-Speed-Limit

Confirm Group creation settings and click done.

Group-Creation-Done

Create an Admin Account

This step involves creating a New Admin account and disabling the default admin account as recommended by Synology. This ensures we create an additional user account with full administrator credentials (admin privileges) to replace the current one. Thereby providing an alternative for accessing your system.

To do this, launch the Control Panel, and navigate to User and Group as shown below. Create the User and assign the user to the Administrators group.

Grant-the-administrator-privilege-to-this-user

Create a Synology User Account

This account below will be used for daily activities, instead of the Admin Accounts. To do this, launch the Control Panel, and navigate to User and Group as shown below.

Note: Grant minimal necessary permissions to users and groups. Regularly review and update user permissions based on changing needs.

User-Creation

Click Create to create an additional account.

User-ACT-creation

Enter the User Information as shown in the image below and select Next.

Account-Information

From the list of available Groups, select a group to add the User to and click Next.

Join-Groups

Assign Shared Folder Permission to this user.

Folder-permission

Not interested in assigning User Quota, click Next.

Quota-Synology
Permission

Also on the Set User Speed Limit, click on Next.

Speed-Limit

Kindly confirm all the details are correct and click Done!

Confirm-settings

As you can see, the user account has been created.

ACT-Created

Synology Admin Account Security: Disable Default Admin Account

Since the default account “admin” is vulnerable to brute-force attacks which can lead to ransomware attacks. I will be showing you the steps to have it disabled.

Note: You can’t rename or delete the current ‘admin’ account. The best practice is to create a second account with admin privileges in Control Panel / User & Group / Create, and disable the current ‘admin’ account completely.

Select the “admin” account and click the Edit tab. After clicking the Edit tab, a new window will open. Check ‘Deactivate this account’, check ‘Immediately’, then Save

Disable-your-default-admin-account

Synology: Domain/LDAP Integration

You may want to ask, Why integrate your NAS device with Synology? Utilizing the “Domain/LDAP” integration with Synology enhances the system security and streamlines user authentication processes.

This integration facilitates a seamless connection between Synology NAS systems and your domain or LDAP directory, empowering administrators to manage user access and permissions efficiently.

To do this, Log in to your Synology NAS DSM and navigate to the Control Panel. Under the “Connectivity” section in the Control Panel, find and open the “Domain/LDAP” application.

DomainLDAp-integration-with-Synology

Enter the LDAP server information by specifying the LDAP server’s address, and DNS server

Enter-Sever-Information

Synology NAS Firewall Configuration

Enhance the security of your Synology NAS by configuring firewall setting. You can enable firewall, create firewall rules, and configure firewall settings to prevent unauthorized login and control service access. You can decide whether to allow or deny access to certain network ports by specific IP addresses.

If you have some basic network knowledge, we’d recommend spending some time to set firewall rules up. By default this service is disabled and there are no rules configured.

Configure the built-in firewall settings on your DS923+. Limit access to only necessary ports and services, blocking any unnecessary traffic. Regularly review and update firewall rules.

nas-firewall

You can create firewall rules for different firewall profiles, so as to easily and quickly switch to and apply the desired profile according to different security needs.

Note: DSM Firewall will match rules according to priority. Once a rule is matched, it will be enforced and DSM Firewall will not continue matching remaining rules. If there are no rules matched, DSM Firewall will perform the default action specified in each interface.

synology-firewall

Synology Auto IP Blocking

Enhance your security infrastructure by implementing the highly effective My IP Block List. This proactive measure plays a pivotal role in fortifying your system against potential security breaches and cyberattacks. By intentionally denying access to recognized malicious IPs, it acts as a robust barrier, preventing unauthorized entry and safeguarding your network from external threats.

Elevate your security posture with this simple yet powerful defence mechanism, a crucial step in fortifying your digital environment against evolving cyber risks.

You can leverage the DSM’s automatic IP blocking feature to block IP addresses after multiple failed login attempts. This helps prevent brute-force attacks.

To do this, launch the Control Panel from the Desktop Shortcut or Main Menu. On the left sidebar, search for Security and under Protection. You will find the necessary settings for this.

Synology-IP-auto-block

Note: You can exempt IP addresses that you trust from autoblock. You can also enable DoS Protection.

Enable-DoS-protection-synology

Antivirus and Malware Protection

Guard your Synology NAS and files against viruses effortlessly with Antivirus Essential. It is a user-friendly and free package. It’s designed to ensure the security of your system.

Install and regularly update antivirus and malware protection packages available in the Package Center. Schedule regular scans to ensure your NAS is free from malicious software.

to do this, launch the Package Center from the shortcut or Main Menu and search for Antivirus Essential as shown below. Click Install when found.

Antivirus-download-1

As you can see below, the package is being downloaded and will install very shortly and the status will change to running.

Antivirus downloading

Run a quick scan to install the latest virus definition

synology-antivirus-dashboard

From the image (log) below, the scan is completed and Virus definitions are updated.

Synology-Anitirus-Logs

VPN Configuration

If you use the DS923+ for remote access, configuring a secure VPN connection is paramount. This adds an extra layer of encryption and ensures a secure connection when accessing your NAS from outside your local network. Below are some options to connect to our NAS system.

Option 1: Quick Connect and DSM (regardless of your firewall rule, you can access your box from anywhere. We have already set this up and this is what I use for connecting at the moment. Please see the guide on how to setup Synology NAS referenced above.
Option 2: Synology Drive
Option 3: TailScale - Does not require port forwarding
Option 4: WebDAV - Require port forwarding 
Option 5: OpenVPN Server (best opiton) - Require port forwarding

My recommendation is if you want to be able to access your Synology NAS remotely, set up a secure VPN service. Simply go to the package manager and install the VPN Server package. For our setup, I will be using the OpenVPN service. However, you are free to use any of the listed options or a combination.

Set up a Virtual Private Network (VPN) on your Synology NAS for secure remote access, and regularly update VPN server settings.

In the next guide, I will show you the complete process.
install-vpn-server

Synology Shared Folder Encryption

Enable data encryption for sensitive folders or volumes. This adds an additional layer of protection, especially for confidential information.

Note: Any users belonging to the administrator’s group can encrypt existing shared folders or new shared folders during folder creation.

Note: When you encrypt a shared folder, a key is generated and automatically downloaded. This key is required for mounting the encrypted shared folder in the future. It is impossible to crack the encryption and access the data without the key, even if you remount the drives on other devices. Therefore, it is critical to saving the key in a safe place

Encrypt-shared-foldwer

Manage keys of encrypted shared folders

It is a good idea to keep your encryption keys in a safe place as described above. However, you can add encryption keys to Key Manager once it is initialized. The Key Manager can be used for the following purposes once it has been initialized:

  • Manage keys of shared folders.
  • Decrypt multiple encrypted shared folders at the same time.
  • Enable encrypted shared folders to be mounted automatically on startup.

Initialize a Key Store

To do this, launch the Control Panel > Shared Folder > Encryption > Key Manager. After initializing, you can add a new key to a key store.

Key-Manager

Note: Since I am not configuring this yet, but in subsequent guides. I will connect a device to use the “External Devices” location.

Select an external device or system partition as the key store from Key Store Location. Synology recommends using an external device because it is safer to store the encrypted file and the corresponding key on different devices.

Initialize-Keystore

Disable Unnecessary Services

Turn off any unnecessary services that you are not using. This reduces the potential attack surface and minimizes security risks.

Verify if Telnet and SSH remain disabled

For example, telnet and ssh are not enabled by default. Most times, you do not require telnet/SSH access to your Synology NAS. So leave them disabled.

Disable-Unsued-Synology-Ports

As you can see below, they are not enabled (Disabled by default).If you have them enabled, please disable them if not needed.

disabled-by-default

Physical Security

Ensure physical security for your NAS by placing it in a secure location. Limit access to authorized personnel. Securing premises and devices from physical attacks can be just as challenging as defending against cyber threats. 

Note: This act of security is often overlooked in favour of cybersecurity. Physical security is equally important. All the firewalls in the world can’t help you if an attacker removes your storage media from the storage room. You may want to learn more about Physical security or take a CISSP class.

Physical security largely comes down to access control and surveillance. A Synology NAS is an attractive shiny little piece of technology that is capable of drawing attention. This is why, it’s a good idea to keep an eye on it. We shall discuss more about “Video surveillance” subsequently.

Synology Security Advisor

Usually, I (we) should have started from here as the Security Advisor will walk you through some of the steps above. But I decided to show you all the steps to protect your DS923+ NAS without having to employ the security advisor.

Security Advisor, a built-in DSM security application, actively scans your DSM settings and Synology NAS to enhance security. By examining your settings, it identifies potential security risks and provides recommendations to fortify the safety of your Synology NAS.

Security Advisor conducts thorough checks to detect any DSM settings that might pose security threats. Additionally, it actively monitors for suspicious activities, such as the presence of malware.

The application goes beyond static analysis and dynamically analyzes abnormal login activities, actively identifying and thwarting password-guessing attempts initiated by malicious third parties. This proactive approach ensures that your Synology NAS remains resilient against emerging security challenges.

Synology-security-advisor

As you can see below, the security of my NAS is great! Good!!

Sysnology-Security-Advisor

Conduct regular security audits of your NAS. Review access logs, login histories, and system logs to identify any suspicious activities. Address any anomalies promptly.

You may also enable HTTP Compression and Enable Spectre and Meltdown protection

Advanced-synonylogy-protection

Active Insights

Active Insights is a cloud service that provides active 24/7 monitoring of and intelligent insights into your Synology NAS smartly, instantly, and simultaneously.

Active-Insight
Active-Insights-Overview

Conclusion: “DSM Security: How to Protect Synology DS923+ NAS”

Stay informed about security updates and best practices by participating in Synology forums, community discussions, and monitoring official announcements.

Also, do not forget about your Synology Backup job. Regularly backup your data to an external location or cloud service. Synology DSM provides various backup solutions, including Hyper Backup, to safeguard your information.

By following these security measures, you can significantly enhance the overall protection of your Synology DS923+ and the data it contains. Keep in mind that security is an ongoing process, and staying vigilant against emerging threats is crucial. You can also learn about Synology Reverse Proxy.

I hope you found this article useful on “DSM Security: How to Protect Synology DS923+ NAS”. Please feel free to leave a comment below.

5/5 - (1 vote)
Reviews, Security | Vulnerability Scans and Assessment, Storage Tags:,

Related Posts

More Related Articles

Razer Administrative rights gained through Razer devices on Windows 10 Security | Vulnerability Scans and Assessment
Screenshot 2020 11 17 at 02.06.58 The PA Server Monitor review and product details Reviews
Fix invalid backup repostory and delete not needed repo via Veeam Backup Repository Fix missing path and delete a Veeam Backup Repository Backup
updates Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability Security | Vulnerability Scans and Assessment
Object First OOTBI Appliance Configuration How to Configure Object First OOTBI Appliance Backup
How to stay protected on Windows 10 and11 device with Windows Security Stay protected on Windows device with Windows Security Security | Vulnerability Scans and Assessment

Leave a Reply