A Windows NT file system is not NTFS.

A system-critical Windows NT registry key has inappropriate permissions.

An event log in Windows NT has inappropriate access permissions.

The Logon box of a Windows NT system displays the name of the last user who logged in.

The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in.

A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.

A Windows NT log file has an inappropriate maximum size or retention period.

A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.

In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.

A system-critical Windows NT registry key has an inappropriate value.

An application-critical Windows NT registry key has inappropriate permissions.

An application-critical Windows NT registry key has an inappropriate value.

ICQ 98 beta on Windows NT leaks the internal IP address of a client in the TCP data segment of an ICQ packet instead of the public address (e.g. through NAT), which provides remote attackers with potentially sensitive information about the client or the internal network configuration.

TCP/IP implementation in Microsoft Windows 95, Windows NT 4.0, and possibly others, allows remote attackers to reset connections by forcing a reset (RST) via a PSH ACK or other means, obtaining the target's last sequence number from the resulting packet, then spoofing a reset to the target.

A Windows NT domain user or administrator account has a guessable password.

A Windows NT domain user or administrator account has a default, null, blank, or missing password.

The Windows NT guest account is enabled.

The Windows NT RPC service allows remote attackers to conduct a denial of service using spoofed malformed RPC packets which generate an error message that is sent to the spoofed host, potentially setting up a loop, aka Snork.

Cisco PIX firewall manager (PFM) on Windows NT allows attackers to connect to port 8080 on the PFM server and retrieve any file whose name and location is known.

The WINS server in Microsoft Windows NT 4.0 before SP4 allows remote attackers to cause a denial of service (process termination) via invalid UDP frames to port 137 (NETBIOS Name Service), as demonstrated via a flood of random packets.