If an unauthorized user can restore files to a new directory, they can
compromise those files. To catch such activity, requires full
privilege auditing . To enable, apply the following Windows NT registry
hack:
Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name:
FullPrivilegeAuditing
Type: REG_DWORD
Value: 1
Full privilege
auditing will cause a very large number of event records to be generated
during backups and restores. Increase the size of the event log significantly if you need this information. Appropriate for
high security environment. In any case, if the logs are not being examined for
inappropriate access, forget it.
Frank Heyne has made available a Windows NT
Eventlog FAQ .