|
|
|
Forum Newbie
Group: Forum Members
Last Login: 3/7/2018 5:43:55 PM
Posts: 1,
Visits: 0
|
|
We are getting a high volume of 4663 events in our environment. Mostly coming from virtual servers hosted on a VMWare platform. We noticed that the events are mostly triggering off activity to the D: drives on these servers, which makes sense in some respect b/c the hosted/primary applications are running off of the D: drives. But also we noticed the Task Category fields in the events shows as "Removable Storage".
We think based on our research of VMware that this is unique to them. And the resolution the VMWare forums suggest is too complicated to undertake.
We are considering Disabling either the Audit Removable Storage policy or the Audit object access policies or both. But also concerned about reducing security and visibility.
Looking for suggestions on handling these events.
|
|
|
|
|
Junior Member
Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 15,
Visits: 0
|
|
Hi,
I'm assuming this is the fix you're talking about? https://communities.vmware.com/thread/476008
Being that these are VM's you may want to think about disabling the Audit Removable Storage policy. There's no risk here of a malicious user inserting a thumb drive since these are VM's. This is, of course, assuming that your VMware hosts are accessible to admins only.
|
|
|
|