Disable: 'Audit: Audit the use of Backup and Restore privilege' for fullprivilegeauditing This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is backed up or restored. If the Audit: Audit the use of Backup and Restore privilege setting is enabled, a very large number of security events could quickly fill the Security event log. Counter Measure: Enable the Audit use of Backup and Restore privilege setting. Alternatively, implement automatic log backup by configuring the AutoBackupLogFiles registry key. If you enable this option when the Audit privilege use setting is also enabled, an audit event is generated for every file that is backed up or restored. This information could help you to identify an account that was used to accidentally or maliciously restore data in an unauthorized manner. For more information about configuring this key, see article 100879, The event log stops logging events before reaching the maximum log size, in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=100879). Potential Impact: If you enable this policy setting, a large number of security events could be generated, which could cause servers to respond slowly and force the Security event log to record numerous events of little significance. If you increase the Security log size to reduce the chances of a system shutdown, an excessively large log file may affect system performance.

[enable/disable]

(1) GPO: Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsAudit: Audit the use of Backup and Restore privilege