My company has a problem with customers potentially using thumb drives to record and access information on companies' machines which we contract with to run testing applications for us. Ideally, we'd like them to lock the system down to not allow this, but this really isn't an option as several companies have expressed displeasure in following this request. Is there a logging system somewhere in windows which keeps track of things which have accessed the computer within a certain amount of time. If not, is there a program we can having running in the background do to so?
I should clarify. Really what my company is afraid of is someone using a thumb drive that has programs on them and launch applications which can copy data from our testing system. The testing is done over the internet, so coping we aren't really afraid of them copying files from the hard drive. I know we probably can't detect that someone launched an application, but in a pinch we'd like to detect if a thumb drive was placed in the machine at a certain date and time.
You can detect the evidence taht a thumb drive was plugged in. See Windows forensics expert Harlan Carvey's blog post Forensics Laws to indicate this is true. He does cover it in his book, Windows Forensics Analysis, if I remember right (the link in the blog now takes you to the Elsevier home page for Syngress).
to determine what was copied is a bit more difficult if you don't have auditing turned on. If you have exact images of the two drives you may be able to determine which direction, but then you already know which files.
If you activate certain SACLs for your sensitive files (it's set up inside the security editor, under the "Auditing" tab if I remember right), all accesses get logged to the Security event log.
If the machines are managed via Active Directory this can be done via applying the correct Group Policy.
You can see some instructions here.
This is also covered in MS KB555324