Use QNAP Enterprise Storage ES NAS to create WORM shared

© 2019 QNAP Systems, Inc. All Rights Reserved. 1

Application Notes

Jan 2019

Use QNAP Enterprise Storage ES NAS to

create WORM shared folder - Windows


Notices This user manual provides detailed instructions of using the QNAP Enterprise Storage NAS.

Please read carefully and start to enjoy the powerful functions of the Enterprise Storage

NAS.

The QNAP Enterprise Storage NAS is hereafter referred to as the ES NAS or the NAS.

This manual provides the description of all the functions of the ES NAS. The product you

purchased may not support certain functions dedicated to specific models.

Legal Notices All the features, functionality, and other product specifications are subject to change without

prior notice or obligation. Information contained herein is subject to change without notice.

QNAP and the QNAP logo are trademarks of QNAP Systems, Inc. All other brands and

product names referred to are trademarks of their respective holders. Further, the ® or ™

symbols are not used in the text.

Disclaimer Information in this document is provided in connection with QNAP® products. No license,

express or implied, by estoppels or otherwise, to any intellectual property rights is granted by

this document. Except as provided in QNAP's terms and conditions of sale for such products,

QNAP Assumes no liability whatsoever, and QNAP disclaims any express or implied

warranty, relating to sale and/or use of QNAP products including liability or warranties

relating to fitness for a particular purpose, merchantability, or infringement of any patent,

copyright or other intellectual property right.


Table of Contents

WORM Overview ........................................................................................................................................... 4

Create shared folder with WORM ............................................................................................................ 4

System architecture .................................................................................................................................................. 4

Server role and network settings list ................................................................................................................. 4

Create WORM shared folder in an existing Pool ............................................................................................ 7

QNAP ES Series NAS WORM Shared Folder function ...................................................................... 13

QNAP WORM architecture ................................................................................................................................... 13

QNAP WORM trigger conditions ....................................................................................................................... 13

QNAP WORM permissions ................................................................................................................................... 13

Verify the WORM shared folder ............................................................................................................ 14

Verify WORM Append Only status .................................................................................................................... 14

Create a WORM Append Only file ................................................................................................................................. 14

Verify Append Only File - Delete Data ........................................................................................................................ 16

Verify Append Only File - Write Data .......................................................................................................................... 16

Verify Append Only File - Delete file ........................................................................................................................... 18

Verify Append Only File - Rename ............................................................................................................................... 19

Verify WORM Immutable status ........................................................................................................................ 20

Create WORM Immutable file ........................................................................................................................................ 20

Verify Immutable File - Delete / Write Data ............................................................................................................ 21

Verify Immutable File - Delete file ............................................................................................................................... 22

Verify Immutable File - Rename ................................................................................................................................... 24


WORM Overview

WORM (Write Once, Read Many) is used to avoid modification of saved data. After this feature

is enabled, data in shared folders can only be written, and can not be deleted or modified to

ensure data integrity.

With increasingly stringent regulations on how information is stored, many countries require

government agencies, financial institutions, and health care providers to comply with strict

data archiving regulations. Many of these require storage systems to not tamper with archived

data. This has led to WORM becoming increasingly common.

Good examples are photos, contracts, financial reports, emails, employee information, and other

important documents. They should not be modified once stored. In some professional fields, massive

data needs to be analyzed, and huge amounts of real-time data needs to be recorded and tracked.

WORM technology is ideal for protecting these records, so that they will not be overwritten and can be

saved as a reference for future use.

To meet the security requirements of enterprise storage, QNAP ES Series NAS has added WORM

functionality to help information personnel protect important organizational information. It can provide

substantial benefits to organizations and avoid the risk of breaking relevant information laws.

Create shared folder with WORM

System architecture

Device Description

Storage Units QNAP ES Series NAS (system version QES 1.1.3)

Servers Install VMware ESXi 6.0

a matter of

mouse clicks.

Install Windows Server 2012 R2 to mount the NFS shared folder

IP Settings

As the ESXi host and NFS Server in the NAS connect and communicate with

each other using IP, it is recommended that both the ESXi host and NAS

server be set to static IP addresses.

Server role and network settings list

Server Network Settings

Role IP Description

ESXi server A 192.168.2.60 VMware ESXi host


Data Network 1.1.1.60 10G Data port in ESXi host

Virtual Machine 192.168.2.105 Windows Server 2012 R2


Storage Network Settings

Setting Value Description

SCA Management IP 192.168.2.50 Management IP of controller A

SCA Ethernet1 IP 1.1.1.9 Data port 1 IP of controller A

SCA Ethernet2 IP 1.1.2.9 Data port 2 IP of controller A

SCB Management IP 192.168.2.51 Management IP of controller B

SCB Ethernet1 IP 1.1.1.10 Data port 1 IP of controller B

SCB Ethernet2 IP 1.1.2.10 Data port 2 IP of controller B

Pool at SCA Pool1 RAID6 pool at controller A


Create WORM shared folder in an existing Pool

You must complete the following steps before creating a shared folder with WORM functionality.

Refer to the link below to complete the process.

1. Add the server to the QNAP ES Series NAS whitelist

2. Create RAID and Storage Pool

Link: Set up a VMware ESXi Datastore via NFS with QNAP Enterprise-Class ES NAS

Step 1: Log in to QES and click “Shared Folders”.

http://files.qnap.com/news/pressresource/datasheet/Set_up_a_VMware_ESXi_Datastore_via_NFS_with_QNAP_Enterprise-Class_ES_NAS(English).pdf


Step 2: Click “Storage Space" (1), select a storage pool (2), click the "Create" button and select

"New Shared Folder” (3).

Step 3: Enter the desired WORM folder name. In "Storage Settings", set the WORM storage

quota, and select other options according to different application scenarios. If there are no

special requirements, you can just select the default values.


Step 4: Find "WORM Settings” and click “Edit”.

Step 5: Check WORM and select "Compliance" in the drop-down menu.


Step 6: Set the retention period of the WORM folder. In this example, it is set to 1 day, meaning

the WORM restrictions can only be removed after 1 day. After setting the retention period, click

"Apply" to create the WORM folder.

Note: WORM folder type:

- Enterprise: Folders can only be written, but cannot be deleted, modified or restored.

You can remove the shared folder through QES or CLI commands.

- Compliance: Folders can only be written, but cannot be deleted, modified or restored.

To remove a folder, you must take the Storage Pool offline and remove the Pool.



Step 7: The WORM folder will appear in the list of shared folders. Click the folder name to enter

"Shared Folder Manager". As the WORM type is set as “Compliance”, the remove option (in

“Actions”) is disabled.

The steps to create the WORM folder are now complete.


QNAP ES Series NAS WORM Shared Folder function

QNAP WORM architecture

After enabling QNAP WORM in the shared folder, any file in this folder can be set to

"Immutable" or "Append Only". The difference is as follows:

Description

Append

Only

You can add data, but not modify, delete, or rename it.

Immutable You cannot add, modify, delete or rename it.

QNAP WORM trigger conditions

Description

Append

Only

In Windows: the file is empty and the file attribute is set to Read-only, then

the file is “Append Only”.

Immutable In Windows: there is data inside the file, and the file attribute is set to

Read-only, then the file is “Immutable”.

QNAP WORM permissions

Below is description of QNAP WORM permissions

WORM status is similar to denied permissions in ACL, but there are some differences. The main

difference is as follows

a. If a folder uses WORM, then even users with the highest privileges ("administrator" or

"root") cannot change the WORM status of files contained within.

b. If a child directory (Child) triggers WORM state, the parent directory will be unable to be

renamed and deleted, and this is true for any folder level: as long as the WORM state is

triggered, the parent folder will be unable to be renamed and deleted.

c. When the WORM folder retention period expires, the "remove privilege" and "delete child

privilege" will be automatically granted.

For details, please refer to the following table:

Write data

(rename

child)

Append

data

(add

child)

Delete

(delete folder,

delete child)

Renam

e

Rename

parent

NONE ○ ○ ○ ○ ○


AppendO

nly X ○ X, (WORM expiry is ○) X X

Immutab

le X X X, (WORM expiry is ○) X X

Verify the WORM shared folder

Verify WORM Append Only status

Create a WORM Append Only file

Step 1: Mount the WORM folder to a Windows PC

Open any folder in Windows, enter the WORM folder Shared Path “\\1.1.1.9\WORM”, and enter

your ES NAS user credentials.


Step 2: Enter this directory and create an empty Notepad file named "AppendOnly".

Step 3: Right-click the file, select “Properties” and check Read-only. This file will become

Append Only.


Verify Append Only File - Delete Data

Step 1: Enter the number "12345" in the “AppendOnly” file, save the file, and close it

Step 2: Open the “AppendOnly” file again, delete the end numbers "45", save the file and close it

Step 3: Open the “AppendOnly” file again, you will find that the file has returned to its original

state "12345". Verify Append Only state, unable to delete data.

Verify Append Only File - Write Data

Step 1: Enter the number "6789" after "12345" in the “AppendOnly” file, save the file, and close

it

NOTE: Read-only access affects the files in the folder (not the entire folder). You

can enable WORM settings for folders through QES.

Reference: Microsoft, Folder read-only behavior.

https://support.microsoft.com/en-us/help/326549/you-cannot-view-or-change-the-read-only-or-the-system-attributes-of-folders-in-windows-server-2003,-in-windows-xp,-in-windows-vista-or-in-windows-7



Step 2: Open the “AppendOnly” file. It will display "123456789", confirming that data can be

written to the file in the Append Only state.

Verify Append Only File - Delete file

Step 1: Right click the “AppendOnly” file, select “Delete”, and click “Yes” to confirm deletion.

Step 2: We can see that the folder currently shows no “AppendOnly” file.

Step 3: Click the refresh button in the top-right corner. The “AppendOnly” file will appear again,

confirming that the file cannot be deleted in the Append Only state.


Verify Append Only File - Rename

Step 1: Right click the “AppendOnly” file and select “Rename”.

Step 2: Change the file name to "QNAP" and press Enter. The "File Access Denied - Append

Only" alert window will appear. We do not have permission to change the file name, confirming

that file name cannot be changed in Append Only state.


Verify WORM Immutable status

Create WORM Immutable file

Step 1: In the WORM folder, create an empty Notepad file named "Immutable". Open this file,

enter the number "12345", and then save the file.

Step 2: Right-click the file, select “Properties” and check Read-only. This file will become

Immutable.


Verify Immutable File - Delete / Write Data

Step 1: Open the "Immutable” file, delete the number "45", then save the file

Step 2: The Save As new file prompt will appear. You must save this file with a different

filename.

Step 3: Save as a new file and rename the file to "Immutable_Modify".

Step 4: Repeat the above steps, and instead of deleting numbers, try adding some numbers. The

NOTE: Immutable and Append Only filetrigger mode,

While creating a new file, when the file is saved without any content, check read only ->

Append Only

While creating a new file, when the file is edited and saved with content, check read only ->

Immutable

For a file to be Immutable, the file must be checked Read-only after editing and saving, then

the file will trigger the Immutable state.

Append Only state can only be triggered when the file is "blank" while checking Read-Only


original file still cannot be overwritten, and can only be saved as a new file. This confirms that

deleting/writing data is not possible in the Immutable state, as you can only save as a new file,

thus the original file is protected.

Verify Immutable File - Delete file

Step 1: Right click on the “Immutable” file, select “Delete”, and click “Yes” to confirm deletion.

Step 2: We can see that the folder currently shows no “Immutable” file.

Step 3: Click the refresh button in the top-right corner. The “Immutable” file will appear again,

confirming that the file cannot be deleted in the Immutable state.

NOTE: Immutable state does not allow file modification at all.



Verify Immutable File - Rename

Step 1: Right click the “Immutable” file and select “Rename”.

Step 2: After attempting to change the file name, you will receive a "File Access Denied” error.

We do not have permission to change the file name, confirming that file name cannot be

changed in the Immutable state.

Documents

Use QNAP Enterprise Storage ES NAS to create WORM shared