Use QNAP Enterprise Storage ES NAS to create WORM shared folder - Windows
WORM Overview
WORM (Write Once, Read Many) is used to avoid modification of saved data. After this feature is enabled, data in shared folders can only be written, and can not be deleted or modified to ensure data integrity.
With increasingly stringent regulations on how information is stored, many countries require government agencies, financial institutions, and health care providers to comply with strict data archiving regulations. Many of these require storage systems to not tamper with archived data. This has led to WORM becoming increasingly common.
Good examples are photos, contracts, financial reports, emails, employee information, and other important documents. They should not be modified once stored. In some professional fields, massive data needs to be analyzed, and huge amounts of real-time data needs to be recorded and tracked. WORM technology is ideal for protecting these records, so that they will not be overwritten and can be saved as a reference for future use.
To meet the security requirements of enterprise storage, QNAP ES Series NAS has added WORM functionality to help information personnel protect important organizational information. It can provide substantial benefits to organizations and avoid the risk of breaking relevant information laws.
Create shared folder with WORM
System architecture
| Device | Description |
|---|---|
| Storage Units | QNAP ES Series NAS (system version QES 1.1.3) |
| Servers | Install VMware ESXi 6.0 |
| a matter of mouse clicks. | Install Windows Server 2012 R2 to mount the NFS shared folder |
| IP Settings | As the ESXi host and NFS Server in the NAS connect and communicate with each other using IP, it is recommended that both the ESXi host and NAS server be set to static IP addresses. |
Server role and network settings list
| Server Network Settings | ||
|---|---|---|
| Role | IP | Description |
| ESXi server A | 192.168.2.60 | VMware ESXi host |
| Data Network | 1.1.1.60 | 10G Data port in ESXi host |
| Virtual Machine | 192.168.2.105 | Windows Server 2012 R2 |
| Storage Network Settings | ||
|---|---|---|
| Setting | Value | Description |
| SCA Management IP | 192.168.2.50 | Management IP of controller A |
| SCA Ethernet1 IP | 1.1.1.9 | Data port 1 IP of controller A |
| SCA Ethernet2 IP | 1.1.2.9 | Data port 2 IP of controller A |
| SCB Management IP | 192.168.2.51 | Management IP of controller B |
| SCB Ethernet1 IP | 1.1.1.10 | Data port 1 IP of controller B |
| SCB Ethernet2 IP | 1.1.2.10 | Data port 2 IP of controller B |
| Pool at SCA | Pool1 | RAID6 pool at controller A |
Create WORM shared folder in an existing Pool
You must complete the following steps before creating a shared folder with WORM functionality. Refer to the link below to complete the process.
- Add the server to the QNAP ES Series NAS whitelist
- Create RAID and Storage Pool
Link: Set up a VMware ESXi Datastore via NFS with QNAP Enterprise-Class ES NAS
Step 1: Log in to QES and click “Shared Folders”.
Step 2: Go to “Storage Space”, click "Create" > "New Shared Folder”.
Step 3: Enter the desired WORM folder name. In "Storage Settings", set the WORM storage quota, and select other options according to different application scenarios. If there are no special requirements, you can just select the default values.
Step 4: Find "WORM Settings” and click “Edit”.
Step 5: Enable “WORM” and select a WORM folder Type in the drop-down menu.
Note:
WORM Folder Types:
- Enterprise: Folders can only be written, but cannot be deleted, modified or restored. You can remove the shared folder through QES or CLI commands.
- Compliance: Folders can only be written, but cannot be deleted, modified or restored. To remove a folder, you must take the Storage Pool offline and remove the Pool.
Step 6: Set the “Lock delay”, when enabled, a file added to the folder can be modified within the lock delay time period. After this time has passed, the file automatically becomes locked and unmodifiable.
If disabled "Lock delay", a file can’t be WORM type automatically, you need modify the file property to “Read only” by manually.
Step 7: Set the retention period of the WORM folder. In this example, it is set to 1 day, meaning the WORM restrictions can only be removed after 1 day. After setting the retention period, click "Apply" to create the WORM folder.
The WORM folder appears in the list of shared folders.
Step 8: Select the WORM folder and click "Manage".
Note: If the WORM type is set as “Compliance”, the remove option (in “Actions”) is disabled.
The WORM folder is created and available to use.
QNAP ES Series NAS WORM Shared Folder function
QNAP WORM architecture
After enabling QNAP WORM in the shared folder, any file in this folder can be set to "Immutable" or "Append Only". The difference is as follows:
| Description | |
|---|---|
| Append Only | You can add data, but not modify, delete, or rename it. |
| Immutable | You cannot add, modify, delete or rename it. |
QNAP WORM trigger conditions
| Description | |
|---|---|
| Append Only | In Windows: the file is empty and the file attribute is set to Read-only, then the file is “Append Only”. |
| Immutable | In Windows: there is data inside the file, and the file attribute is set to Read-only, then the file is “Immutable”. |
QNAP WORM permissions
Below is description of QNAP WORM permissions
WORM status is similar to denied permissions in ACL, but there are some differences. The main difference is as follows
- If a folder uses WORM, then even users with the highest privileges ("administrator" or "root") cannot change the WORM status of files contained within.
- If a child directory (Child) triggers WORM state, the parent directory will be unable to be renamed and deleted, and this is true for any folder level: as long as the WORM state is triggered, the parent folder will be unable to be renamed and deleted.
- When the WORM folder retention period expires, the "remove privilege" and "delete child privilege" will be automatically granted.
For details, please refer to the following table:
| Write data (rename child) | Append data (add child) | Delete (delete folder, delete child) | Rename | Rename parent | |
|---|---|---|---|---|---|
| NONE | O | O | O | O | O |
| AppendOnly | X | O | X, (WORM expiry is O) | X | X |
| Immutable | X | X | X, (WORM expiry is O) | X | X |
Verify the WORM shared folder
Verify WORM Append Only status
Create a WORM Append Only file
Step 1: Mount the WORM folder to a Windows PC
Open any folder in Windows, enter the WORM folder Shared Path “\\1.1.1.9\WORM”, and enter your ES NAS user credentials.
Step 2: Enter this directory and create an empty Notepad file named "AppendOnly".
Step 3: Right-click the file, select “Properties” and check Read-only. This file will become Append Only.
NOTE: Read-only access affects the files in the folder (not the entire folder). You can enable WORM settings for folders through QES.
Reference : Microsoft, Folder read-only behavior.
Verify Append Only File - Delete Data
Step 1: Enter the number "12345" in the “AppendOnly” file, save the file, and close it
Step 2: Open the “AppendOnly” file again, delete the end numbers "45", save the file and close it
Step 3: Open the “AppendOnly” file again, you will find that the file has returned to its original state "12345". Verify Append Only state, unable to delete data.
Verify Append Only File - Write Data
Step 1: Enter the number "6789" after "12345" in the “AppendOnly” file, save the file, and close it
Step 2: Open the “AppendOnly” file. It will display "123456789", confirming that data can be written to the file in the Append Only state.
Verify Append Only File - Delete file
Step 1: Right click the “AppendOnly” file, select “Delete”, and click “Yes” to confirm deletion.
Step 2: We can see that the folder currently shows no “AppendOnly” file.
Step 3: Click the refresh button in the top-right corner. The “AppendOnly” file will appear again, confirming that the file cannot be deleted in the Append Only state.
Verify Append Only File - Rename
Step 1: Right click the “AppendOnly” file and select “Rename”.
Step 2: Change the file name to "QNAP" and press Enter. The "File Access Denied - Append Only" alert window will appear. We do not have permission to change the file name, confirming that file name cannot be changed in Append Only state.
Verify WORM Immutable status
Create WORM Immutable file
Step 1: In the WORM folder, create an empty Notepad file named "Immutable". Open this file, enter the number "12345", and then save the file.
Step 2: Right-click the file, select “Properties” and check Read-only. This file will become Immutable.
NOTE: Immutable and Append Only filetrigger mode,
While creating a new file, when the file is saved without any content, check read only -> Append Only
While creating a new file, when the file is edited and saved with content, check read only -> Immutable
For a file to be Immutable, the file must be checked Read-only after editing and saving, then the file will trigger the Immutable state.
Append Only state can only be triggered when the file is "blank" while checking Read-Only
Verify Immutable File - Delete / Write Data
Step 1: Open the "Immutable” file, delete the number "45", then save the file
Step 2: The Save As new file prompt will appear. You must save this file with a different filename.
Step 3: Save as a new file and rename the file to "Immutable_Modify".
Step 4: Repeat the above steps, and instead of deleting numbers, try adding some numbers. The original file still cannot be overwritten, and can only be saved as a new file. This confirms that deleting/writing data is not possible in the Immutable state, as you can only save as a new file, thus the original file is protected.
NOTE:Immutable state does not allow file modification at all.
Verify Immutable File - Delete file
Step 1: Right click on the “Immutable” file, select “Delete”, and click “Yes” to confirm deletion.
Step 2: We can see that the folder currently shows no “Immutable” file.
Step 3: Click the refresh button in the top-right corner. The “Immutable” file will appear again, confirming that the file cannot be deleted in the Immutable state.
Verify Immutable File - Rename
Step 1: Right click the “Immutable” file and select “Rename”.
Step 2: After attempting to change the file name, you will receive a "File Access Denied” error. We do not have permission to change the file name, confirming that file name cannot be changed in the Immutable state.
