Unfortunately, Windows does not have a lot of detection countermeasures (Item 2) built into it, but one of the features that comes close is auditing. On a secure production system, auditing is one way an administrator can detect that an attack has occurred or is in progress. A good sysadmin will turn on auditing to detect password-guessing attacks, attempts to access sensitive resources, null session connections (Item 35), and so on.

The security audit log can also be helpful to a developer in tracking down security problems where an authorized user is accidentally denied access. For example, I've always recommended auditing of logon events on all lab machines. A logon event occurs when a new logon-session (