NAS

QNAP first setup checklist

QNAP's QTS gets you a working NAS quickly, but the out-of-box defaults (default admin user, common ports, snapshots not configured, exposed services) have historically been the entry point for ransomware campaigns targeting QNAP devices. The first-day setup is mostly about closing those defaults before storing real data — not about file shares yet.

Best for: First-time QNAP TS-series operators on QTS 5.x or later, unboxing a NAS and getting it to a baseline that can hold irreplaceable data safely.

Lockdown before workload (the security-first order)

Disable the default `admin` user: Control Panel > Privilege > Users > admin > tick `Disable this account`. Create a new admin-equivalent user with a unique name + strong password BEFORE disabling admin. QNAP attacks often target the literal `admin` account; disabling it removes that vector.
Change the default web UI ports from 8080 (HTTP) and 443 (HTTPS): Control Panel > General Settings > System Administration. Pick non-default high ports (e.g., 18432 / 18443). Default-port scanning is constant.
Force HTTPS only and turn on 2-Step Verification: Control Panel > General Settings > System Administration > tick `Force secure connection (HTTPS)`. Then user profile > Security > enable 2-Step Verification with an authenticator app.
Open Security Counselor (the built-in security scanner): Main Menu > Security Counselor > Run scan. Address every High/Critical finding before adding data.
Confirm QTS is on the current stable release: Control Panel > System > Firmware Update > Check for Update. Apply if a current update exists.

Storage pool design

Storage & Snapshots > Storage > Storage / Snapshots > Create > Storage Pool. Pick the disks that will be in the pool.
RAID level by use case: RAID 1 (2 disks, mirror) for simple home use; RAID 5 (3-5 disks) for most home NAS setups; RAID 6 (4+ disks) for capacity setups where the second-drive-failure-during-rebuild risk matters. Don't use RAID 0 for anything irreplaceable — no redundancy.
Decide thick vs thin volumes when creating the volume on the pool: thick provisions full capacity up front (predictable performance, no oversubscription); thin allows volume size > current pool capacity (flexible, but can run out at write time). Thick is the safer home default.
Reserve **20%+ free space** at the pool level. QTS snapshot consumption + filesystem overhead works best with headroom.

Snapshot baseline (the under-used feature)

Storage & Snapshots > Snapshot > Snapshot Manager > pick the volume > Snapshot Schedule. Set hourly for the first week to observe consumption; ratchet down if pool capacity drops.
Snapshot Retention: Smart Versioning is the recommended default — hourly for 24 hours, daily for a week, weekly for a month. This balances recovery granularity against pool consumption.
Enable Snapshot Vault to replicate snapshots to a second QNAP or to an external storage destination. Snapshots alone don't survive pool failure; replication closes that gap.
Snapshot is not a backup. Layer Hybrid Backup Sync 3 (HBS 3) on top for the actual off-box backup (next section).

First backup via HBS 3

App Center > Hybrid Backup Sync 3 (HBS 3) > install (pre-installed on most QTS 5.x systems).
HBS 3 > Backup > Create > Backup Job. Pick source folder(s) — your irreplaceable data, not entire `Multimedia/` or `Download/` paths.
Destination: Cloud storage (Backblaze B2 / S3 / Wasabi / Google Drive / etc.), Remote NAS (rsync to another QNAP or generic rsync host), or Local storage (USB drive plugged into the QNAP).
Schedule: daily off-peak. Encrypt the destination with a strong passphrase + salt; store these somewhere the QNAP doesn't host.
Run the first job manually. Watch HBS 3 > Job Status until success. Then restore one small file to a temp dataset to prove restorability before relying on the backup.

Disable services you don't need

Control Panel > Network & File Services. Disable Telnet, FTP, SNMP, and any sharing protocols you don't actually use (NFS, AFP if Apple-only home). Every enabled protocol is attack surface.
Control Panel > Applications > Auto Update. Set apps and QTS to auto-update on critical patches; review major-version updates manually.
Disable myQNAPcloud's auto-router-configuration if you don't need internet-facing access. Control Panel > myQNAPcloud > Auto Router Configuration > off. Hosts have been hijacked through UPnP-configured QNAP routers.

Operator snapshotEvidence first

First proof

Default `admin` user is disabled.

Screen to open

Control Panel > Privilege > Users > admin row > Edit > tick 'Disable this account' AFTER creating replacement admin user

Expected signal

Control Panel > Privilege > Users > admin row shows Disabled status; a separate admin-equivalent user exists.

Stop boundary

Stop if Security Counselor shows signs of compromise (unauthorized users, modified system files); investigate before continuing.

Layer path

1QTS out-of-box defaults (default `admin` user, default ports 8080/443, exposed services, no snapshots) have historically been the entry vector for QNAP-targeted ransomware (Qlocker, DeadBolt, eCh0raix).

2First-day setup is mostly security lockdown — closing those defaults BEFORE storing real data — not file shares yet.

3Storage pool design (RAID level, thick vs thin volumes, capacity headroom) determines what's possible later; snapshot policy depends on adequate pool capacity.

4HBS 3 is QNAP's backup tool; snapshots alone don't survive pool failure, so HBS 3 to an off-box destination is required for actual backup.

Runbook

Step-by-step runbook

Start here. Do each check in order, compare it to the expected result, and stop when the evidence explains the failure or the safe stop point applies.

Lockdown BEFORE data: disable default admin + change ports + HTTPS + 2SV

Check: Create replacement admin → disable `admin` → change web UI ports → force HTTPS → enable 2SV.

Expected result: Security Counselor scan returns no High/Critical findings related to default accounts or ports.

If not: Don't skip ahead to file sharing; default-port + default-admin is the historical ransomware vector.

Apply current QTS updates

Check: Control Panel > System > Firmware Update > Check for Update > apply.

Expected result: QTS is on current stable release.

If not: Older QTS has known CVEs; apply before opening any access path.

Create the storage pool with 20%+ headroom

Check: Storage & Snapshots > Create > Storage Pool > select disks > pick RAID level based on use case > create volume(s) with thick provisioning > confirm 20%+ free capacity remains.

Expected result: Pool Ready; volumes accessible; capacity gauge shows green/yellow not red.

If not: Trim or add disks if capacity is tight — snapshot policy in the next step needs room.

Enable snapshots with conservative starting policy

Check: Storage & Snapshots > Snapshot > Snapshot Manager > volume > Schedule > Smart Versioning (default) > Enable Make snapshots accessible via SMB if end-user self-recovery is wanted.

Expected result: Snapshot schedule active; first snapshots appearing after schedule fires.

If not: Watch Snapshot Total Capacity for first week; trim retention if growth exceeds expectations.

Configure HBS 3 first backup with encrypted off-box destination

Check: HBS 3 > Backup > Create > source folders (irreplaceable only) > destination type (cloud/remote NAS/USB) > encryption enabled with passphrase stored offsite > schedule daily off-peak > Run Now.

Expected result: First backup succeeds with non-zero data; restore drill on one file proves restorability.

If not: If encryption passphrase storage isn't ready, stop and set it up first.

Disable unused services and set up notifications

Check: Control Panel > Network & File Services > disable Telnet/FTP/SNMP/protocols not in use. Notification Center > route alerts to email or push.

Expected result: Only intended services running; failed-login + critical alerts reach you.

If not: Without notifications, broken backups or active scanning attempts go unnoticed.

Document the configuration

Check: External record (operations doc / password manager): replacement admin username, current ports, snapshot schedule, HBS 3 destination, encryption passphrase location, first-success timestamp.

Expected result: Documentation exists outside the NAS.

If not: Without this, recovering after a major incident means relearning the setup from scratch.

Decision tree

If: First-time QNAP setup, no data yet.

Then: Do all security lockdown BEFORE storing anything.

Action: Disable admin → change ports → HTTPS-only → 2SV → Security Counselor → storage pool → snapshots → HBS 3.

If: Existing QNAP that's been running with defaults.

Then: Lockdown still applies — but back up first since something might already be wrong.

Action: Run Security Counselor; review findings. Back up irreplaceable data immediately. Then close defaults in order.

Safe stop: Stop if Security Counselor shows signs of compromise (unauthorized users, modified system files); investigate before continuing.

If: Choosing RAID level for the pool.

Then: Use case drives the choice.

Action: RAID 1 (mirror, 2 disks) for simple home use. RAID 5 (3-5 disks) for typical home NAS. RAID 6 (4+ disks) for capacity setups. RAID 0 is not redundancy.

If: Choosing thick vs thin volume.

Then: Predictability vs flexibility tradeoff.

Action: Thick: provisions full capacity up front; predictable performance; no oversubscription. Thin: allows volume size > pool capacity but can fail at write time. Thick is the home default.

If: Need remote access from outside.

Then: Don't expose QTS web UI directly.

Action: Use myQNAPcloud CloudLink (QNAP-managed relay; no port-forward) or VPN-style overlay (Tailscale in Container Station). See `/nas/qnap-safe-remote-access`.

Safe stop: Stop before clicking Auto Router Configuration — UPnP-managed port-opening is the historical ransomware vector.

Evidence

Evidence table

Symptom	Evidence to collect	Likely layer	Next action
Security Counselor flags `admin` account enabled.	Security Counselor scan result.	Default admin user still active	Create new admin-equivalent user; disable `admin`; re-run scan.
Security Counselor flags 'web admin port is default'.	Security Counselor scan result.	Default ports 8080/443 still in use	Control Panel > System Administration > pick non-default high ports; HTTPS-only.
Storage & Snapshots shows pool above 80% used.	Storage > pool > usage gauge.	Insufficient capacity headroom	Trim data, retire snapshots, or add disks. Aggressive snapshot retention will compound the issue.
HBS 3 task scheduled but log shows no successful run.	HBS 3 > Job Status > the task > Log.	Destination unreachable, credentials invalid, or source path wrong	Open the log entry; fix the specific cause; re-run manually before relying on scheduled runs.

Reference

Commands and settings paths

Disable the default `admin` user

Control Panel > Privilege > Users > admin row > Edit > tick 'Disable this account' AFTER creating replacement admin user

Where: In the QTS web UI as an existing admin.

Expected: `admin` shows Disabled in user list; replacement admin can still log in.

Failure means: Don't disable `admin` before confirming replacement admin works — risk of lockout.

Safe next step: If locked out: power-cycle requires a console-cable + QNAP recovery procedure; not friendly.

Run Security Counselor scan

Main Menu > Security Counselor > Run Scan

Where: In the QTS web UI.

Expected: Scan completes; report lists findings by severity.

Failure means: Address every High/Critical finding before continuing to data storage.

Safe next step: Schedule monthly Security Counselor > Schedule.

Create the first storage pool

Storage & Snapshots > Storage > Storage / Snapshots > Create > Storage Pool > pick disks > RAID level > Create

Where: In the QTS web UI.

Expected: Pool appears with status Ready (green); all disks healthy.

Failure means: Pool creation can take time; don't interrupt.

Safe next step: Confirm 20%+ free capacity after creating volume; under-provisioned pools struggle with snapshot retention.

Configure HBS 3 first backup job

App Center > HBS 3 > Open. Backup > Create > Backup Job > source folders > destination > schedule > encryption > Save > Run Now manually for first run

Where: In HBS 3 (via QTS Main Menu > HBS 3).

Expected: First job completes with Success; restored file opens cleanly from the destination.

Failure means: Encrypt destination; store passphrase in password manager with offsite copy.

Safe next step: Stop before completing if passphrase storage isn't ready.

Hardware boundary

Hardware and platform boundary

Change only when

Snapshot Vault to a second destination is the right next step only after the source-side snapshot schedule has been stable for a month and pool capacity behavior is understood.

Evidence that matters

Default lockdown (admin disabled, non-default ports, HTTPS-only, 2SV, current QTS), pool capacity headroom, and encrypted off-box HBS 3 backup matter most.

Evidence that does not matter

Faster QNAP hardware doesn't change the security defaults; lockdown discipline is what determines safety.

Avoid

Avoid leaving default `admin` enabled, exposing web UI to internet on default ports, treating snapshots as backup, or skipping Security Counselor scans.

Last reviewed

2026-05-18 · Reviewed by HomeTechOps. Reviewed against QNAP's official security best-practices guidance, QTS Storage & Snapshots documentation, HBS 3 setup docs, and NIST's conservative-backup framing for the snapshots-are-not-backup boundary.

Source-backed checks

HomeTechOps turns official docs and conservative safety rules into a shorter runbook. These links are the source trail for the page direction.

QNAP: Best practices for enhancing NAS securityUsed for QNAP account, update, port-forwarding, snapshot, and remote-access safety guidance.QNAP: QTS operating systemUsed for QTS storage manager, file station, snapshot, and security center capabilities baseline.QNAP: Storage & Snapshots ManagerUsed for QTS block-level snapshot scheduling, retention, and snapshot vs backup boundary on QNAP volumes.QNAP: HBS 3 Hybrid Backup SyncUsed for HBS 3 backup, restore, and cloud/remote-NAS destination planning on QNAP.QNAP: Storage pools and thick/thin volumesUsed for QTS storage pool design, thick vs thin volume tradeoffs, and pool-expansion safety on QNAP.NIST: Ransomware guidanceUsed for conservative backup and recovery assumptions around independent copies, ransomware, and restore readiness.

FAQ

Is QTS still safe to use after the various ransomware incidents?

Yes — when configured to QNAP's current security baseline. The high-profile QTS ransomware events (Qlocker, DeadBolt, eCh0raix) all exploited NAS instances with default-port web UI exposed to the internet plus weak/default credentials. Following the first-day lockdown (disabled `admin`, non-default ports, HTTPS-only, 2-Step Verification, no internet-exposed web UI, current QTS, Security Counselor clean) closes the actual attack vectors used.

QuTS hero vs QTS — which OS should a new buyer pick?

QuTS hero is QNAP's ZFS-based OS (similar architecture to TrueNAS Scale); QTS is the traditional ext4/btrfs-based OS. For most home users, QTS is the appropriate pick — it runs on more models, has wider app support, and the 'standard QNAP experience' that QNAP's docs assume. QuTS hero makes sense if you specifically want ZFS features (snapshots-as-clones, end-to-end checksums, replication primitives) and have a model that supports it.