MAP NAS Drives on Windows 11 using ESET IDS Rules
Posted: Fri Nov 14, 2025 8:46 pm
Windows updates, like 24H2, can negatively affect existing NAS installations. The last update on my Windows 11 PC disconnected mapped drives after performing a reboot. I tried many online posts with Windows Registry Editor instructions to reconnect the drives but they did not work. Windows could find my NAS but when I tried to map a drive it would immediately respond with "Access is denied" when the login window appeared. After numerous registry changes I decided to repair Windows, in case I messed something up, and try another method. Since the problem appeared to be permissions, I decided to use ESET to control SMB permissions on the PC. This worked immediately and was easy to set up.
To start, log in to your NAS and go to Control Panel > File Services > and click the SMB tab and ensure the following settings are correct.
Then click Advanced Settings to configure SMB. Leave the WINS server line blank unless you are using LAPD and are connecting to a Microsoft server.
For security reasons, DO NOT use SMB1 for the minimum SMB protocol unless you have an old device that does not support SMB2 and/or SMB3.
Set the Maximum SMB Protocol to SMB3
Set the Minimum SMB Protocol to SMB2 large MTU (using large MTU enables increased throughput and efficiency)
If more than one client accesses the NAS you should enable the following:
Check the box for Enable Opportunistic Locking
Check the box for Enable SMB2 file leasing
Check the box for Enable SMB3 directory leasing
Click the Apply to all shared folders if allowing access to more than the clients home folder.
Then select Clear SMB cache. When finished select save.
Log in the your PC and open ESET, then press F5 to bring up the advanced menu and select Network Access Protection.
Then click the plus sign for Network attack protection.
Select IDS rules Edit
Click the Add rules button.
Here you can create a number of rules that affect you PCs Intrusion Detection System (IDS).
To enable SMB scroll down to the Use of NTLM in SMB selections.
If your PC network is private select "Use of NTLM in SMB in the Trusted zone"
If your PC network is public select "Use of NTLM in SMB outside the Trusted zone"
For security reasons it is safer to select the trusted zone.
Next enter the direction and the IP address or addresses of the NAS device(s).
Selecting Out is sufficient to map and use NAS drives.
The example shows two different NAS servers on the same network.
If you have more than one server separate the IPs with a comma.
Here you can apply the rule to a specific profile. So if you only want the SMB rule active for the private trusted network, select private. However if you select a profile ensure you are using the correct SMB detection method.
You also leave this entry blank to apply to all profiles.
Set the action for the rule whenever it is applied to a connection.
The Options to set are Block, Notify and Log.
Block should be set to no. This also prevents Windows from applying extended security extensions.
Notify works any time the rule is applied, which can be annoying.
Log will create an entry in the ESET log whenever the rule is applied. I do not use the log because my network is the only one that accesses SMB to the NAS drives.
When finished click the OK button to create and apply the rule. Once the rule is applied reboot your PC.
If the rule was created correctly Synology Assistant should be able to map the NAS drive(s).
If you cannot connect, check your entries to ensure the correct rule is selected, the correct IPs are entered and block is set to no.
Note: This allows mapping but does not ensure NAS devices will appear in the Windows File Explorer Network window.
To start, log in to your NAS and go to Control Panel > File Services > and click the SMB tab and ensure the following settings are correct.
- Check the box for Enable SMB service box to enable SMB.
- The Workgroup name should be the same name used for your PC workgroup.
- Check the box for Enable the transfer log if you want to track transfer activity in the Synology log file.
- Check the box for Enable Windows network discovery to allow file access via SMB
Then click Advanced Settings to configure SMB. Leave the WINS server line blank unless you are using LAPD and are connecting to a Microsoft server.
For security reasons, DO NOT use SMB1 for the minimum SMB protocol unless you have an old device that does not support SMB2 and/or SMB3.
Set the Maximum SMB Protocol to SMB3
Set the Minimum SMB Protocol to SMB2 large MTU (using large MTU enables increased throughput and efficiency)
If more than one client accesses the NAS you should enable the following:
Check the box for Enable Opportunistic Locking
Check the box for Enable SMB2 file leasing
Check the box for Enable SMB3 directory leasing
Click the Apply to all shared folders if allowing access to more than the clients home folder.
Then select Clear SMB cache. When finished select save.
Log in the your PC and open ESET, then press F5 to bring up the advanced menu and select Network Access Protection.
Then click the plus sign for Network attack protection.
Select IDS rules Edit
Click the Add rules button.
Here you can create a number of rules that affect you PCs Intrusion Detection System (IDS).
To enable SMB scroll down to the Use of NTLM in SMB selections.
If your PC network is private select "Use of NTLM in SMB in the Trusted zone"
If your PC network is public select "Use of NTLM in SMB outside the Trusted zone"
For security reasons it is safer to select the trusted zone.
Next enter the direction and the IP address or addresses of the NAS device(s).
Selecting Out is sufficient to map and use NAS drives.
The example shows two different NAS servers on the same network.
If you have more than one server separate the IPs with a comma.
Here you can apply the rule to a specific profile. So if you only want the SMB rule active for the private trusted network, select private. However if you select a profile ensure you are using the correct SMB detection method.
You also leave this entry blank to apply to all profiles.
Set the action for the rule whenever it is applied to a connection.
The Options to set are Block, Notify and Log.
Block should be set to no. This also prevents Windows from applying extended security extensions.
Notify works any time the rule is applied, which can be annoying.
Log will create an entry in the ESET log whenever the rule is applied. I do not use the log because my network is the only one that accesses SMB to the NAS drives.
When finished click the OK button to create and apply the rule. Once the rule is applied reboot your PC.
If the rule was created correctly Synology Assistant should be able to map the NAS drive(s).
If you cannot connect, check your entries to ensure the correct rule is selected, the correct IPs are entered and block is set to no.
Note: This allows mapping but does not ensure NAS devices will appear in the Windows File Explorer Network window.