Is Your Synology Actually Secure? What Most Businesses Get Wrong

The default admin account is a problem

Synology creates a default admin account during setup. Many businesses leave it enabled with a weak or reused password. Attackers know this — automated scanners specifically look for Synology devices with default or common credentials. Disabling the default admin account and creating a named account with a strong password is one of the first things that should happen during setup, and one of the most commonly skipped.

Internet exposure is often broader than people realise

QuickConnect, port forwarding, and UPnP can all result in your NAS being accessible from the internet — sometimes without anyone deliberately configuring it that way. A Synology that's reachable from the internet with weak credentials or an unpatched DSM version is an active target. Synology devices have been specifically targeted by ransomware campaigns that exploited known vulnerabilities in internet-facing installations.

DSM updates get skipped

DSM updates frequently include security patches for actively exploited vulnerabilities. Businesses that ignore update notifications — or disable automatic updates — are running known-vulnerable software on a device that may be internet-facing. This is one of the most direct paths to a compromised NAS.

Two-factor authentication is rarely enabled

Even with a strong password, a Synology without two-factor authentication is one credential leak away from full access. 2FA is available in DSM and should be mandatory for any account with administrative access, and strongly recommended for all users.

Firewall rules are either absent or misconfigured

DSM includes a built-in firewall, but it's not enabled by default and requires deliberate configuration to be useful. A properly configured firewall limits which IPs can reach which services — significantly reducing the attack surface even on a device that has some internet exposure. Most Synology devices in business environments have either no firewall rules or rules that were set up once and never reviewed.

What a properly secured Synology looks like

Default admin disabled, named accounts with strong passwords and 2FA, DSM kept current, firewall rules in place, unnecessary services disabled, login attempt limits configured, and remote access limited to VPN where possible. That's not an exhaustive list — but it's the baseline that most devices don't meet.