Auditing allows administrators to configure Windows to record operating system activity in the Security Log.
The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense".
[1] The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity.
For this reason, once the Administrator account has been compromised, the event history as contained in the Security Log is unreliable.
[8] A defense against this is to set up a remote log server with all services shut off, allowing only console access.
[12] Microsoft notes, "It is possible to detect attempts to elude a security monitoring solution with such techniques, but it is challenging to do so because many of the same events that can occur during an attempt to cover the tracks of intrusive activity are events that occur regularly on any typical business network".
Keeping the IT department's security systems and practices confidential helps prevent users from formulating ways to cover their tracks.
For instance, a user wanting to log into a fellow employee's account on a corporate network might wait until after hours to gain unobserved physical access to the computer in their cubicle; surreptitiously use a hardware keylogger to obtain their password; and later log into that user's account through Terminal Services from a Wi-Fi hotspot whose IP address cannot be traced back to the intruder.
[15] The Winzapper FAQ notes that it is "possible to add your own 'made up' event records to the log" but this feature was not added because it was considered "too nasty," a reference to the fact that someone with Administrator access could use such functionality to shift the blame for unauthorized activity to an innocent party.