If an unauthorized user can restore files to a new directory, they can compromise those files. To catch such activity, requires full privilege auditing . To enable, apply the following Windows NT registry hack:

Hive: HKEY_LOCAL_MACHINE
Key: SYSTEM\CurrentControlSet\Control\Lsa
Name: FullPrivilegeAuditing
Type: REG_DWORD
Value: 1

Full privilege auditing will cause a very large number of event records to be generated during backups and restores. Increase the size of the event log significantly if you need this information. Appropriate for high security environment. In any case, if the logs are not being examined for inappropriate access, forget it.

Frank Heyne has made available a Windows NT Eventlog FAQ .

A must have for NT administrators in corporate or governmental organizations or anyone being audited by a large outside audit firm.
It is not a secrets type guide but it has excellent sound advice and its used by PriceWaterhouse's auditors as a guide.