A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.

A system is operating in "promiscuous" mode which allows it to perform packet sniffing.

A trust relationship exists between two Unix hosts.

An SSH server allows authentication through the .rhosts file.

A superfluous NFS server is running, but it is not importing or exporting any file systems.

Windows NT automatically logs in an administrator upon rebooting.

NFS exports system-critical data to the world, e.g. / or a password file.

A Unix account with a name other than "root" has UID 0, i.e. root privileges.

Two or more Unix accounts have the same UID.

A system-critical Unix file or directory has inappropriate permissions.

A system-critical Windows NT file or directory has inappropriate permissions.

IIS has the #exec function enabled for Server Side Include (SSI) files.

An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.

A Sendmail alias allows input to be piped to a program.

rpc.admind in Solaris is not running in a secure mode.

A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.