Audit Removable Storage

Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s SACL.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes Yes Yes Yes This subcategory will help identify when and which files or folders were accessed or modified on removable devices.
It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.
You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed.
We recommend Failure auditing to track failed access attempts.
Member Server Yes Yes Yes Yes
Workstation Yes Yes Yes Yes

Events List:

  • 4656(S, F): A handle to an object was requested.

  • 4658(S): The handle to an object was closed.

  • 4663(S): An attempt was made to access an object.