Audit Removable Storage
- Windows 10
- Windows Server 2016
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s SACL.
|Computer Type||General Success||General Failure||Stronger Success||Stronger Failure||Comments|
|Domain Controller||Yes||Yes||Yes||Yes||This subcategory will help identify when and which files or folders were accessed or modified on removable devices.
It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.
You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed.
We recommend Failure auditing to track failed access attempts.