Auditing: Removable Storage

af074caf-14a4-41f5-9ebd-e2214dc48240

The HotplugSecureOpen registry key is required in order for auditing of removable devices like USB drives to work and generate event id 4663.

https://social.technet.microsoft.com/Forums/Lync/en-US/7500770b-de1d-4c95-8a0d-e85cbfaa9472/windows-10-1803-removable-storage-inspection-does-not-work-the-system-does-not-generate-4663?forum=win10itprosecurity

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Windows Settings
|_ Security Settings
|_ Advanced Audit Policy Configuration
|_ System Audit Policies
|- Object Access
|_ "Audit Removable Storage" with "Success" selected.

More information: https://www.eventsentry.com/kb/410

Stig:
Server:
2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2023-09-11/finding/V-254317
2019: https://www.stigviewer.com/stig/microsoft_windows_server_2019/2023-09-11/finding/V-205840 / https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93167
2016: https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-73457 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73457

Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2023-09-29/finding/V-253324
W10: https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220766 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220766

Nist 800-53: AU-12c (AU-12(3))
CAT: II
CCI: CCI-000172
Rule-ID:SV-220765r569187_rule
STIG-ID: WN10-AU-000085
STIG-Legacy: SV-77961
STIG-Legacy: V-63471
Vuln-ID: V-220765