Auditing Backup and Restore Activities

When files are being backed up, Windows NT checks to ensure that the user performing the backup has the Back Up Files and Directories special right each time the backup program attempts to copy a file to the backup media. In the same way, Windows NT checks for the Restore Files and Directories right for each file that is being restored from backup media. Obviously, if Windows NT were to record an audit event each time those rights were invoked, thousands of events would be recorded during a routine backup. Because this would flood the security log with event records that most often would be of little value for maintaining system security, Windows NT does not normally record audit events for the use of these rights, even when success auditing of Use of User Rights is enabled in the system user rights policy.

To audit the use of these rights, use the Registry Editor to create or assign the following Registry key value:

Hive:

HKEY_LOCAL_MACHINE\System

Key:

\CurrentControlSet\Control\Lsa

Name:

FullPrivilegeAuditing

Type:

REG_BINARY

Value:

1


The changes take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.

Note

The use of the following rights is never audited, even when the FullPrivilegeAuditing Registry entry is set to 1. However, the assignment of these rights, during logon, is audited.