WinSecWiki > Security Settings > Local Policies > Security Options > Audit > Audit the use of Backup and Restore privilege

Audit: Audit the use of Backup and Restore privilege

Enabling, this policy has no effect unless Audit privilege use events is also enabled.

By default there are a number of high volume rights that Windows does not audit even when you enable Audit privilege use. Enabling this policy makes Windows audit the use of high volume rights, SeBackupPrivilege and SeRestorePrivilege. Enabling this policy results in an event being logged for every object on the system affected by backups. I recommend against enabling this policy since it will only greatly increase the noise of the already noisy and low value Audit privilege use policy.

It is unclear whether enabling this policy also enables the audit of:

Bottom line

I don't recommend enabling this policy because it generates even more events in a category that is already basically all noise anyway. I actually recommend disabling Audit privilege use.

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Audit

•	Audit the use of global system objects
•	Audit the use of Backup and Restore privilege
•	Force audit policy subcategory settings
•	Shut down system immediately

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.