2

Is there a way to audit access to USB drives with built-in windows logging? We already do GP based auditing on our server's NTFS file system, but how do we extend that to workstations? There are no guaranteed of what kind of file system will be plugged into the workstations through USB. It may be NTFS or FAT32.

The reason we need to do this is to have a record of potentially unauthorized copying of company files.

Note: we also restricted USB access to majority of machines. That works, but it turns out that the people who ask for (and are given) exception are also those with access to very sensitive info.

Environment: - Windows 2008 R2 Server AD - Windows 7 Pro workstations

womble
  • 95,029
  • 29
  • 173
  • 228
user3280964
  • 198
  • 10
  • You can see every USB device ever plugged into the PC by checking the keys under `HKLM\System\CurrentControlSet\Enum\USBSTOR`, but as far as auditing specifically what files are being copied to or from the device, I do not know if its possible, but suspect it's a pretty difficult, and ultimately pointless task that you won't find existing products or solutions for. – HopelessN00b Mar 01 '14 at 00:05
  • @HopelessN00b there are products that does that. I have used at one site DeviceWall. I heard GFI has something. I also pilotted Sophos and Symantec endpoint security which enabled me also to force that files copied to the USB drive be automatically encrypted using a cert that is on the network only so I could prevent someone from stealing data from the network but still use the USB drive to move data around to other PC on the network (I know sounds stupid but was interesting experiment). – ETL Mar 01 '14 at 03:30
  • 1
    @ETL I've worked for a vendor who sells such a product, and these products come with a list of exceptions and caveats a mile long when it comes to auditing removable media. The long and short of it is that there's no way to do auditing on an unknown, removable filesystem, as the OP wants - the only [mostly] effective approach is to define and audit information access on the computer, and log when it gets copied to a different volume. In my experience, however, this creates a false sense of security, as a skilled attacker can circumvent these controls and make off with your data anyhow. – HopelessN00b Mar 01 '14 at 08:18
  • @HopelessN00b - "this creates a false sense of security" - totally agree! – ETL Mar 01 '14 at 17:20

0 Answers0