A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.

A filter in a router or firewall allows unusual fragmented packets.

A system-critical Windows NT registry key has inappropriate permissions.

An event log in Windows NT has inappropriate access permissions.

The Logon box of a Windows NT system displays the name of the last user who logged in.

The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system without logging in.

A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.

A Windows NT log file has an inappropriate maximum size or retention period.

A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.

A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.

A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.

A network intrusion detection system (IDS) does not verify the checksum on a packet.

A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.

A network intrusion detection system (IDS) does not properly reassemble fragmented packets.

In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Operators, Replicators, System Operators, etc.

A system-critical Windows NT registry key has an inappropriate value.

The rpc.sprayd service is running.

The rexec service is running.

The rstat/rstatd service is running.

The rpc.rquotad service is running.