Security - Track Removable Storage in Windows

Windows Security Audit Log offers a way to audit removable storage access. Removable storage auditing in works similar to and logs the exact same events as File System auditing. The only difference is in controlling what activity is audited.

To review, with File System auditing, there are 2 levels of audit policy.  

1. Enable the Audit File System audit subcategory at the computer level. 
2. Choose which folders to audit and enable object level auditing on those folders for the users/groups, permissions and success/failure results that need to be monitored. 

Configure settings to monitor removable storage devices

1. Sign in to your domain controller by using domain administrator credentials.
2. In Server Manager, point to Tools, and then click Group Policy Management.
3. In the console tree, right-click the flexible access Group Policy Objecton the domain controller, and then click Edit.
4. Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy Configuration, double-click Object Access, and then double-click Audit Removable Storage.
5. Select the Configure the following audit eventscheck box, select the Successcheck box (and the Failurecheck box, if desired), and then click OK.
6. If you selected the Failurecheck box, double-click Audit Handle Manipulation, select the Configure the following audit events check box, and then select Failure.
7. Click OK, and then close the Group Policy Management Editor. 

Verify that removable storage devices are monitored

1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type cmd to open a Command Prompt window.
   
   Note: If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
2. Type gpupdate /force, and press ENTER.
3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
4. In Server Manager, click Tools, and then click Event Viewer.
5. Expand Windows Logs, and then click Security.
6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include Task Category = Removable Storagedevice.

Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.


Example: 
Once enabled, Windows logs the same event ID 4663 as for File System auditing.  For example, the event below shows that user admin wrote a file called payroll.pdf to a removable storage device Windows arbitrarily named I:\Company.

<5>Sep 24 11:44:31 Elm.iamunique.com Microsoft-Windows-Security-Auditing[768]: {"EventTime": "2018-09-24 11:43:30", "Hostname": "Elm.iamunique.com "Keywords": -9214364837600034816, "EventType": "AUDIT_SUCCESS", "SeverityValue": 2, "Severity": "INFO", "EventID": 4663, "SourceName": "Microsoft-Windows-Security-Auditing", "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", "Version": 1, "Task": 12800, "OpcodeValue": 0, "RecordNumber": 382072087, "ProcessID": 768, "ThreadID": 776, "Channel": "Security", "Message": "An attempt was made to access an object.", "Category": "Removable Storage", "Opcode": "Info", "SubjectUserSid": "S-1-5-21-343361891-1219768270-4058147650-1179", "SubjectUserName": "admin", "SubjectDomainName": "MP", "SubjectLogonId": "0x2741cc1b84", "ObjectServer": "Security", "ObjectType": "File", "ObjectName": "I:\\Company\\payroll.pdf", "HandleId": "0xf3c8", "AccessList": "%%4417\r\n\t\t\t\t", "AccessMask": "0x2", "ResourceAttributes": "S:AI", "EventReceivedTime": "2018-09-24 11:43:30", "SourceModuleName": "wineventlog_in", "SourceModuleType": "im_msvistalog"}

To track information being copied from your network to removable storage devices 

• monitor for Event ID 4663 
• where Task Category is Removable Storage and 
• Accesses is wither WriteData or AppendData.