4663 Triggering off of VMWare Removable... Expand / Collapse
Posted 11/1/2019 1:48:26 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 3/7/2018 5:43:55 PM
Posts: 1, Visits: 0
We are getting a high volume of 4663 events in our environment. Mostly coming from virtual servers hosted on a VMWare platform. We noticed that the events are mostly triggering off activity to the D: drives on these servers, which makes sense in some respect b/c the hosted/primary applications are running off of the D: drives. But also we noticed the Task Category fields in the events shows as "Removable Storage".

We think based on our research of VMware that this is unique to them. And the resolution the VMWare forums suggest is too complicated to undertake.

We are considering Disabling either the Audit Removable Storage policy or the Audit object access policies or both. But also concerned about reducing security and visibility.

Looking for suggestions on handling these events.
Post #8601
Posted 11/13/2019 4:33:33 AM
Junior Member

Junior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior MemberJunior Member

Group: Administrators
Last Login: 4/13/2009 5:07:47 PM
Posts: 22, Visits: 0

I'm assuming this is the fix you're talking about? https://communities.vmware.com/thread/476008

Being that these are VM's you may want to think about disabling the Audit Removable Storage policy. There's no risk here of a malicious user inserting a thumb drive since these are VM's. This is, of course, assuming that your VMware hosts are accessible to admins only.
Post #8604
« Prev Topic | Next Topic »

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:47am