Sign in with
Sign up | Sign in

Setup & Admin - Security Warning

Linksys Network Storage Link for USB 2.0 Disk Drives reviewed
By

Linksys provides a Windows-based Setup Wizard, but you can bypass it and do the entire setup via the NSL's web browser-based admin server. Just be sure to get your computer set to an IP address in the 192.168.1.X subnet other than 192.168.1.77, which is the NSL's default.

Once you log in, you can set the NSL to grab an address from your LAN's DHCP server, but I'd recommend keeping it set to a static IP address that matches your LAN's subnet so that you always know where to find it.

Figure 2: Home page

Once you enter the default IP address into your browser, you'll immediately get the Home screen shown in Figure 2. As a matter of fact, you can access everything you see without having to log in except for the Administration and User Log In (Private Data) links.

Linksys has apparently opted for ease-of-use vs. security in their choice of defaults, and the wide selection of activities available without login frankly freaked me out at first. I was particularly concerned with the ability to change any password - including the admin account - without having to first log in!

You could argue that this is no worse than Linksys' normal setup of using the same default login on all products. But this just feels more likely to get unsuspecting users in trouble, especially if they decide to make their NSL accessible for remote access via Internet. Until Linksys tightens up the NSL's security, I strongly recommend you do not set up the NSL for direct Internet access. If you must access it remotely, you'd be best off setting up VPN access to your LAN, but you should at least make the changes listed below.

Changing the default admin password and disabling UPnP should be among the first things you do in setting up the NSL. You may also want to change the port that the HTTP interface responds to from its default of 80. Unfortunately you don't have the option of disabling HTTP file access entirely, while leaving the Admin server turned on. You also can't enable secure HTTP (HTTPS) for all web-based activity, or restrict HTTP access to specific IP addresses or ranges.

On a more positive note, although you can't delete the "guest" account that provides no-password access to the NSL's "public" folder, you can add a password. You can also disable "guest" logins entirely, and not let failed logins default to being granted "guest" access.

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter