The first thing you’ll do to enhance security of the Duo is to change the Admin password to something other than the default value of netgear1. You'll also want to configure the password recovery feature. Second, you’ll want to configure SMTP settings for password recovery and alerting capability. Finally, you'll create users, groups, and folder share permissions.
Changing the Admin password is under the Security > Admin Password menu as shown in Figure 4. Here, you can change the Admin password and set up Netgear's handy password recovery feature. In many small network devices, losing the password means resetting the device to factory defaults. Netgear has included a nice feature to recover the admin password without re-entering all your configurations.
In the event the Admin password is then lost or forgotten, logging into https://DuoIP/password_recovery will prompt for the configured email address and the answer to your password recovery question. I tested this feature and it worked as advertised, sending me an email with the new admin password.
Figure 4: Password recovery
The Duo can be configured to send notifications via email if given an SMTP account. As shown in Figure 5, enabling this functionality is a matter of entering an SMTP server address, port, user name and password. Once configured, an email address can be entered in the Contacts tab, and the configuration can be tested with a handy “Send Test Message” button. I used this function and received a confirmation email with text stating “If you receive this message, the email alert notification is working properly.”
Figure 5: SMTP configuration
A security hole in the Duo is that there is no idle logout for the administration menus. Once logged into the Web utility, the web session will stay logged in until the user logs out or closes the browser window. This is a security flaw as an authorized user could leave a session logged in and walk away, allowing an unauthorized party to access the device.
File security on the Duo includes the ability to define individual Users and associate them to Groups, allowing for efficient user management. I found it easiest to create Groups first, then create Users and assign them to Groups. Once Users are created and associated with Groups, permissions to various shares on the Duo can be configured for individual Users or Group access.
From a physical security standpoint, the Duo has a Kensington type security hole, commonly found on laptops to allow for locking the device with a short cable to some immovable object. I have a Kensington security cable I regularly use with my Dell laptop, so I tried it on the Duo. Unfortunately, I was disappointed to find that my cable, which works fine with my laptop, would not lock to the Duo. I think the problem might be that the security port on the back of the Duo is more recessed than the one on my laptop.
Out of the box, the Duo comes configured with two directories, or shares, called Backup and Media. Protocol access to network shares is configurable with CIFS (Common Internet File Sharing which uses the System Message Block Protocol(SMB)), AFP (Apple File Protocol), NFS, FTP and HTTP/S. I had no problem connecting Windows XP Home, XP Pro, and Vista machines, as well as a Linux PC to both share directories via CIFS.
Instead of creating a new folder, I used the existing Media share and copied all our family photos and videos to the Pictures folder in this directory. To control Read/Write access to the Media share, I selected Default Access to be Read Only. I then entered one of my Groups, called control, to have Write access to the share. Finally, I left the Allow guest access box checked. Figure 6 shows my selections.
Figure 6: Share access configuration
Specifying a User name when mapping a network drive in Windows is done by using the Connect using a different user name option under My Computer > Tools > Map Network Drive, as circled in Figure 7. For my wife and kids' PCs, I mapped the Duo's Media share without using this option, so they will have Read-only guest access.
Figure 7: Network drive mapping
On my PC, I mapped the Media share using the Connect option with a user name that belongs to the control group I created earlier. With this configuration, I can add and update our family photos to the Media share from my PC and allow my wife and kids access to the the Media share from their PCs without worrying about them accidentally deleting files.
I double-checked my configurations by having my son try to delete a file from the Media share from his PC, and was pleased to see him get an “Access denied” message. He still had access to view the files, but couldn't add, change, or delete any of the files.
Additional shares can be created through the Add Shares menu by entering a share name and description then selecting or de-selecting Public Access. De-selecting Public Access in the Add Shares menu forces authentication to a newly created share. Once created, access to those shares can be further controlled by setting Default Access to Read/Write, Read-only, or Disabled.
With the Default Access option set, defining which users or groups will have Read/Write or Read-only access is a matter of checking the appropriate box and entering the user or group. To further enhance security, specific Host IP Addresses can be entered to limit file access to specific computers.