PingSentry   |   Discord   |   System32   |   GitHub   |   Free tools

Auditing: Removable Storage

af074caf-14a4-41f5-9ebd-e2214dc48240

The HotplugSecureOpen registry key is required in order for auditing of removable devices like USB drives to work and generate event id 4663.

https://social.technet.microsoft.com/Forums/Lync/en-US/7500770b-de1d-4c95-8a0d-e85cbfaa9472/windows-10-1803-removable-storage-inspection-does-not-work-the-system-does-not-generate-4663?forum=win10itprosecurity

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Advanced Audit Policy Configuration
|_ System Audit Policies
|- Object Access
|_ "Audit Removable Storage" with "Success" selected.

More information: https://www.eventsentry.com/kb/410

Stig:
Server:
2022: https://system32.eventsentry.com/stig/viewer/V-254317
2019: https://system32.eventsentry.com/stig/viewer/V-205840

Desktop:
W11: https://system32.eventsentry.com/stig/viewer/V-253324
W10: https://system32.eventsentry.com/stig/viewer/V-220766

Nist 800-53: AU-12c (AU-12(3))
CAT: II
CCI: CCI-000172
Rule-ID:SV-220765r569187_rule
STIG-ID: WN10-AU-000085
STIG-Legacy: SV-77961
STIG-Legacy: V-63471
Vuln-ID: V-220765



Tags

stig-medium-server stig-medium-desktop desktop server compliance-server compliance-desktop security-desktop security-server nist800-171-server cmmc2-l2-desktop cmmc2-l2-server nist800-53-desktop nist800-53-desktop nist800-53-server nist800-53-server

Your Privacy Choices

Manage your cookie preferences below:

Helps us improve website performance and understand how visitors use our site.

Allows us to collect feedback about our products and improve them based on your input.

To learn more about our use of cookies, please see our
Privacy Policy.