This is Microsoft's position on guest logons: 'Since insecure guest logons are unauthenticated, important security features such as SMB Signing and SMB Encryption are disabled. As a result, clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle attacks that can result in data loss, data corruption, and exposure to malware. Additionally, any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network.'
OK, we'll entertain this nonsense just one more time...
You know I'm actually perplexed about how to write this post, in a manner that is sufficiently complicated, so that you can understand it. But I'll give it the old college try - here goes.
First, if one wants perfect computing security, a standalone workstation in a locked room, might be the way to go. (But one might have to worry about the ghost of dearly departed Uncle Bob and hacking mice. ) Short of some solution like this, risks are involved. It's that simple.
(I'm off to a bad start already - this is not complex enough...)
MS's reference is about file servers in a production environment which are lucrative targets for hackers, along with MS's covering themselves from legal liability to the companies that purchase their products. (It's a lot like all the legal warnings one gets in the box, with anything that has an AC power plug.)
Again, good Lord "again", the security profile of a home LAN has next to nothing to do with that of an AD Domain or a data center. There are no "Man in the Middle attacks" in a home LAN. (But users might want to check their closets, for hackers, just to be sure. )
Along the same lines, I suppose you're aware that WPA2 has been hacked, right? (Rhetorical question, no need to answer.) So your solution to this would be, what?
"Turn off Wifi or it's data loss, data corruption, and exposure to malware?" OMG!
We both know, that's not going to happen. Users will use WiFI, provided by their routers, just like we will. The risk, while real, is still relatively small. It would take a very knowledgeable next door neighbor, or a hacker very close by, to get in.
In the bottom line, there is a trade-off between convenience and security and it's not the same for everyone - it's on a sliding scale.
The key to real data security is not about guarding music files, videos and pictures. It's about not having anything of value to a hacker, that is potentially damaging to the user, which is personal info, credit card details, medical info, etc., stored on the LAN.
(Note: With sufficient motivation, such as "data of real monetary value", a world class hack can blow past a consumer router.)
_________________________________________________________________________________________
Beginners might ask;
What can be done, in a home network, to enhance network security?
- Start with your router. It's your security gate keeper. Keep it up-to-date. If it's old, consider flashing it with DD-WRT or Open-WRT. If neither of the two are available for your older router, consider buying a new one. And while wireless encryption has never been truly secure, if used, WPA2 with AES is the strongest currently available. (WPA3 is just around the corner.)
- A Router behind a Router. In cases where an ISP provides and manages a router, put your router behind it. This dual layer can provide more protection.
- Clients. Keep clients up-to-date, along with their virus scanners and firewalls.
- Don't expose your OMV server to the internet, without doing a LOT of research and fully understanding the risks. In this case, if you do, the highest levels of security possible is a very good idea. (And that would mean SMB1 should not be used, root logon's should not be allowed, just to name a couple.)
**And the following bears special note because they're among the highest probable paths for malware to get into your LAN.**
- Web Browsers: Consider turning off Java and Active X and avoid known malware sites, using a blocker like Pi-hole.
- E-mail: Delete E-mail from unknown senders and be cautious about opening links in E-mail from any source. (Spoofing a sender address is easy.)
For beginners and intermediate users;
- Users might consider 100% backup on a second server, that only the root user can access. With hardened security, on a second server, and using versioned backup (filesystem snapshots or the rsnapshot plugin), your data would have a high level of loss protection.
But the most important recommendation for real data security:
- Try not to store sensitive data, that has worth to a hacker, on your LAN. Put it on USB thumb-drives and remove those drives when the info is not needed. Why? Because it's impossible to hack an "air gap".
_______________________________________________________________________________________
Unfortunately you have no idea what you're talking about.
This is nearly hysterical in that, in this -> post, you were claiming poor USB performance for the Atomic Pi, as if it was gospel. And it was based on what? "Something you read on the internet somewhere." In the very next post, you recanted that position based on an anecdotal test of a friend, and admitted what you read "somewhere" must have been "rubbish".
Along similar lines, you've admitted to buying into the ZFS "Scrub of Death" nonsense as well. (I can only imagine the string of "dire warnings" posted as a result from that.) I can't help but wonder, how much of what you're spreading around is nothing more anecdotal stuff from a Google search. Anything on the net, even from reputable sources, requires both skepticism and judgement. (I've said this before, apparently to no avail...)
Your 'New User Guide' lacks user management and authentication. New users following your guide are told to use guest logons.
This is a subject where, with an obvious challenge in dealing with other people, you have no idea what you're talking about. I've been an instructor and did more than a bit of technical writing back in the day. I know enough to know that New Users can't take a drink from a fire hose.
And you're either choosing to ignore, or didn't read, this pertinent statement toward the end of the Beginner setup:
Permissions to the shared folder created in this guide, and the SMB network share layered on top of it, are open. While these permission settings are OK for home environments, the server shouldn't be exposed to the Internet by forwarding port 80 or 443. As users gain knowledge and experience, they may want to selectively tighten up permissions on various shares. This is yet another case of "voluntary selective blindness".
Instead, I focused on backup which is a much more important concept for beginners to understand, in the early stages.
Along these lines, while you say you're trying trying to educate users, here's another item you seem to be completely oblivious to: People don't learn with a "hammer", while using crass and abrasive language. It doesn't work, you're wasting time, you've been told this several times before, yet you persist.
______________________________________________________________________________
You know, I've been in and around general IT for close to 40 years, and I still have files that go back to Window 3.1. I've worked as a field site admin, in a data center, and in other environ's steeped in networking, PC tech, file storage, etc. I've seen a few virus infections along the way. What I couldn't clean up was restored from backup. And while I took reasonable precautions in maintaining backup, I've never had anything near the data loss, data corruption, and exposure to malware, death and destruction, you scream about in red text all the time. Further, as it seems, most users don't have these problems either.