You can use security auditing techniques to track the activities of users and to detect unauthorized attempts to access your NTFS file system directories and files. Activities that you can audit include the following:

• User attempts to log on, both successful and unsuccessful.
  
• User attempts to access restricted accounts.
  
• User attempts to execute restricted commands.
  

Note
In IIS 6.0, successful account logons, including every impersonation of the anonymous account, are audited by default. If your server is hosting busy Web sites, this can cause the security event log to fill quickly with entries. To disable auditing of successful logons in the security event log, see "Auditing security events" in Help and Support Center for Windows Server 2003.