Käytämme evästeitä verkkosivustomme parantamiseksi. Lue Evästekäytäntömme.

NAS 351

Using WORM Shared Folders

Use WORM shared folders to provide additional data security for your NAS.

2024-10-22

COURSE OBJECTIVES

Upon completion of this course you should be able to:

  1. WORM shared folders come in two different types.
  2. Use ADM File Explorer to manipulate WORM settings on individual files or subfolders to lock files as well as extend the lock period or change file lock status.

PREREQUISITES

Course Prerequisites:

None

Students are expected to have a working knowledge of:

Shared Folders


OUTLINE

1. Introduction to WORM Shared Folders

2. Creating WORM Shared Folders

3. Modifying WORM Related Settings in ADM File Explorer

4. Additional Notes





1. Introduction to WORM Shared Folders

WORM (Write Once, Read Many) is a data storage technology that only allows data to be written to a storage device once and prevents it from being deleted or modified. Data stored on WORM-compliant storage is immutable. This means that once data has been written to a WORM-compliant storage device, it cannot be modified. This plays a key role when it comes to addressing data security and compliance requirements as well as protecting against ransomware and other attacks.

ADM 4.2.6 introduces support for WORM in shared folders on Btrfs volumes which can help add additional protection for important data. Shared folders with WORM enabled can help organizations comply with various data retention regulations and compliance standards to safeguards data from unauthorized access, tampering and malware. Enabling WORM functionality will automatically disable the network recycle bin for the shared folder.

WORM System Requirements: AS52, 53, 54, Lockerstor, Lockerstor Gen2, Lockerstor Gen3, Lockerstor Pro, Flashstor, Flashstor Gen2.




2. Creating WORM Shared Folders

WORM shared folders only support Btrfs volumes. Before creating a WORM shared folder, you’ll need to create at least one Btrfs volume first. If there are no Btrfs volumes in an ASUSTOR NAS, please refer here to learn how to create a Btrfs volume.


  • Log into your ADM using your web browser.
  • Select Shared Folders inside Access Control.
  • Click Add.


  • Enter a name for the new folder. A Btrfs volume must be selected to create a WORM shared folder. The pulldown menu for installed volumes will indicate whether a volume has Btrfs or not. Click Next.


  • Set access rights for the folder. The default is Read Only for all users, Read & Write for administrators. Click Next.


  • Select Enable WORM to write-protect this shared folder. Click Next.


WORM mode has been activated, it cannot be deactivated.


  • Select Governance mode or Compliance mode for the WORM shared folder and click Next.
    • Governance mode:
      A WORM shared folder set to Governance Mode does not allow modification or deletion of files within the set retention period. Only authorized system administrators have permissions to delete the WORM shared folder, delete the volume a WORM folder resides in or reset the NAS to factory settings. WORM serves as an additional piece of protection for critical data, shielding valuable assets from unauthorized access.

    • Compliance mode:
      Once a WORM shared folder is set to Compliance Mode, not only are files in that shared folder unable to be modified or deleted within the set retention period, it also bars everyone from deleting that WORM shared folder, the volume it resides in as well as barring everyone from resetting the NAS to factory settings. WORM Compliance mode ensures compliance in industries like finance and healthcare, where immutable data storage is mandated for enhanced security and privacy.


Enabling the auto lock means that files will be automatically locked upon final write. After writing, they cannot be renamed, modified, or deleted after specifying a grace period. For detailed settings on individual files, please go to File Explorer More for detailed configuration.

  • Enabling the Auto Lock brings up more options.
    • Auto-lock time settings:
      Set the Auto-lock time here, default is three hours, maximum is seven days. Selecting “Immediately lock” will lock a file as soon as it is written.
    • Lock retention period:
      Sets the lock retention period. Default is three years, minimum is one day, and maximum is one hundred years. You can also choose to lock permanently here.

      WORM will even prevent the system time from being tampered with and shorten the lock time of the WORM shared folder. Once a lock time is set, it can only be extended but not shortened. The actual lock time may be longer than initially set. Lock time may be extended due to factors such as system shutdown or dismounted volume.

    • Lock status:
      File lock status of WORM shared folders supports "Append-only" and "Immutable".
      • Append-only:
        When a file is set to Append-only, that file cannot be modified or deleted. However, data can be added to the end of an original file. Example: Cannot change past records of logs, but new records can continuously be added. Append-only files can be changed to Immutable, but the reverse is not possible.
      • Immutable:
        When a file is set to immutable, that file cannot be modified, deleted, or its status changed.

      Using WORM shared folders also preserves the integrity of important historical documents and records, safeguarding them from any modifications while stored, while still maintaining the flexibility to add new records. You can consider setting files lock status as "Append-only".



  • Confirm your settings and then click Finish.



Note: It is not possible for anyone to delete a volume and reinitialize a NAS that contains a WORM shared folder set to compliance mode. Administrators may need to double check the relevant instructions again before applying these settings to set this shared folder to compliance mode.


  • The WORM shared folder should now appear. Different icons will be used to identify the different types of WORM shared folders.




3. Modifying WORM Related Settings in ADM File Explorer

If the WORM settings of a WORM shared folder and its subfolders or files are still allowed to be modified, the WORM settings that are still allowed to be modified will be displayed in the context menu of the folder or files:




  • Lock immediately:
    For folders or files that are not set to auto lock or whose auto lock time has not expired, you can lock the file immediately here. Folders or files whose original lock retention period has expired can also be locked again here. You need to set the lock retention period and lock status while locking them.


  • Extend lock:
    For folders or files whose lock retention period is not permanently locked, the lock retention period can be extended here. The lock retention period can only be extended, not shortened.


  • Lock Settings:
    During the lock retention period, for folders or files whose lock status is set to "Append-only" can only be changed to "Immutable" here. It is not possible to reverse this action.


WORM shared folders, subfolders, and files will display individual WORM lock status within their properties dialog box.





4. Additional Notes

  • It is not possible for anyone to delete a volume where a WORM shared folder is set to compliance mode.


  • It is not possible for anyone to reinitialize a NAS that contains a WORM shared folder set to compliance mode. This means that the NAS cannot be restored to factory settings.


  • Volume snapshots containing WORM shared folders cannot be restored to overwrite the original data.



Learn More

Was this article helpful? Yes / No