Audit Restores - FullPrivilegeAuditing

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

If an unauthorized user can restore files to a new directory, they can compromise those files. To catch such activity, requires full privilege auditing . To enable, apply the following Windows NT registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_DWORD
Value: 1

Full privilege auditing will cause a very large number of event records to be generated during backups and restores. Increase the size of the event log significantly if you need this information. Appropriate for high security environment. In any case, if the logs are not being examined for inappropriate access, forget it.

Frank Heyne has made available a Windows NT Eventlog FAQ .

See Also

Featured Links