IIS has the #exec function enabled for Server Side Include (SSI) files.

A system-critical Windows NT file or directory has inappropriate permissions.

A system-critical Unix file or directory has inappropriate permissions.

Two or more Unix accounts have the same UID.

A Unix account with a name other than "root" has UID 0, i.e. root privileges.

NFS exports system-critical data to the world, e.g. / or a password file.

Windows NT automatically logs in an administrator upon rebooting.

A superfluous NFS server is running, but it is not importing or exporting any file systems.

An SSH server allows authentication through the .rhosts file.

A trust relationship exists between two Unix hosts.

A system is operating in "promiscuous" mode which allows it to perform packet sniffing.

A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.

A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.

The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real password file is obtainable, or executable commands such as "ls" can be overwritten.

ICMP echo (ping) is allowed from arbitrary hosts.

A system-critical NETBIOS/SMB share has inappropriate access control.

An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.

A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.

Anonymous FTP is enabled.

A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.

Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.

A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap or queso.

An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).

A service or application has a backdoor password that was placed there by the developer.

IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.