PingSentry   |   Blog   |   System32   |   GitHub   |   Free tools

Auditing: Removable Storage

af074caf-14a4-41f5-9ebd-e2214dc48240

The HotplugSecureOpen registry key is required in order for auditing of removable devices like USB drives to work and generate event id 4663.

https://social.technet.microsoft.com/Forums/Lync/en-US/7500770b-de1d-4c95-8a0d-e85cbfaa9472/windows-10-1803-removable-storage-inspection-does-not-work-the-system-does-not-generate-4663?forum=win10itprosecurity

Remediation

https://www.eventsentry.com/kb/410

Stig Server:https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-73457
Stig Desktop: https://www.stigviewer.com/stig/windows_10/2019-01-04/finding/V-63473

To fix this configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> System Audit Policies >> Object Access >> "Audit Removable Storage" with "Success" selected.



Tags

stig-medium-server stig-medium-desktop desktop server compliance-server compliance-desktop security-desktop security-server nist800-171-desktop nist800-171-server cmmc-l2-desktop cmmc-l2-server cmmc2-l2-desktop cmmc2-l2-server