Windows NT/W2K/XP/W2K3 vulnerabilities as of 26 Nov, 2003 (Bill Wall)

$$hive$$.tmp file - temporary file created with RDISK; remove
$WinNT$.inf - contains network password if unattend used (Q167364)
$DATA Data Stream Name can view the script file; apply SP6 (Q193793)
$DATA vulnerability with IIS - iis4fixi.exe (Q188806 and MS98-003)
_setup.exe - worm
1 point font - can crash a print server.  Fixed with SP3. (Q160964)
8.3(DOS) Name Creation Enabled - to disable, set
   HKLM\System\CCS\Control\FileSystem NtfsDisable8dot3NameCreation:REG_DWORD:1
16-bit DDE - Causes memory leaks.  Fixed with SP3. (Q158142)
16-bit files - may crash 16-bit Windows applications.  Fixed in SP3. (Q158587)
Absent directory browser argument vulnerability, IIS; patch  (MS00-044, Q267559)
account lockout not enabled; enable after 3-5 attempts
account lockout not logged at the domain controller (Q182918)
Accounts that are unnecessary.  Remove all unnecessary accounts.  Evaluate the mgt groups.
ActivePerl 516 can crash IIS with large strings (NTBugtraq 5/99)
active setup control download vulnerability in IE; install the latest IE  (MS00-042; Q265258)
Active scripting
Active Server Pages (ASP)could compromise your system.  Apply the iis-fix (iis-fixi.exe).
ActiveX buffer overruns (ntbugtraq 10/99)
ActiveX scripts and plug-ins should be disabled.
Active Scripting enabled by default for restricted zones; disable (Q264346)
additional base system objects not restricted
   hklm\sys\ccs\control\session manager\AdditionalBaseNamedObjectsProtectionMode  REG_DWORD = 1
Addusers.exe - delete from production servers
Administrative accounts mis-used.  Administrators should have 2 accounts; a regular acct and Admin acct.
Administrator account name - should be renamed.  Create a dummy admin acct with no privileges.
Administrator account password - should not be blank or easy to guess.
Administrator Group - look for unnecessary accounts in this group (Everyone, Guest)
Adobe SVG Viewer vul; lates is Adobe SVG Viewer version 3.01
AeDebug registry - restrict from Trojan Horses
Alerter Service - disable.
Allaire Cold Fusion - sample files can allow attacker to upload files to a server; patch
Allowed Executable Paths list
Anonymous logon - do not allow without a password.  Check IUSR_[computername] account that comes with IIS. (Q164507)
Anonymous users - install SP3 to restrict anonymous users who are members of the Everyone group. (Q143474)
Anti-Relay problem - Exchange Server 5.5
AntiShut Registry key - Check HKLM | SOFTWARE | AntiShut for permissions.  Used by getadmin.
anti-virus outdated
AOL Instant Messenger contains buffer overflow; upgrade to latest AOL IM
App Paths registry - restrict
AppEvent.Evt file permission - set only Admin and System full control
AppID - Check HKLM | SOFTWARE | Classes | AppID so it is not writable by Everyone.
Application Event Log - Go to EventLog | Application.  Add RestrictGuestAccess, REG_DWORD =1.
Application identity password written in clear text in CLB database on W2K; install SP1  (Q260946)
April 2001 Fools bug - incorrect time on April 1, 2001 (msvcrt.dll)
ARCserve (Cheyenne) - has plaintext passwords in exchverify.log file
ARCserve sends administrator password in clear text; password sent to port 6050
Args.bat should be deleted that comes with Website Pro
ARP problem in NT (4/99 bugtraq)
Artisoft XtraMail v1.11 vulnerability (11/99, ntbugtraq)
ASP data can be cached and used on another web site; install SP6 (Q197003)
ASP period bug - Adding a period to an ASP gives scripting information.  Install IIS 4.0. (Q163485)
ASP.DLL - Has a memory leak.  Apply asp-fix (aspfix.exe) for ASP 1.0B (IIS 3.0) only. (Q165335)
ASP Page Contents Visible in IIS - apply fesrc-fix hotfix (Q233335 and MS98-003)
AspUpload 1.4 buffer overflow (ntbugtraq 7/99) (fixed in ver 1.4.0.2)
Ataman (ATRLS) rlogin and telnet running.
ATAPI Iomega Clik - Install the Clik-fix hotfix.
Audit File and Object Access.  Audit for failure.  Turn on all auditing.
Audit Logon and Logoff - Audit for failure.
Audit not enabled.  Audit is turned off by default.
Audit User and Group Management for success and failure.
Audit Restart, Shutdown, and system for success and failure.
Audit Security Policy changes for sucess and failure.
Audit Use of User Rights for failure.
Authenticode vulnerability (MS03-041; KB823182)
AutoAdminLogon - Disable.  Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon
    Change AutoAdminLogon to 0.
Autologon password readable
AutoReboot - enable.  Go to HKLM | SYSYEM | CurrentControlSet | Control | CrashControl |
   AutoReboot.  Set REG_DWORD to 1.
AutoRestartShell.  Enable.  Go to HKLM | SW | Microsoft | Windows NT | CurrentVersion | Winlogon.
     Change AutoRestartShell to 1.
autorun.inf can be run anywhere; disable autorun (HKLM\System\CCS\Services\Cdrom set to 0)
AutoStart Mac Worm; deldb file  (2/99, ntbugtraq)
Avirt Mail Server 3.3a or 3.5 has buffer overflow problem (11/99, ntbugtraq)
Back Orifice - Windows 95 and 98 vulnerabilities program from Cult of Dead Cow. (MS98-010)
   BackOrfice BUTTplugs - speakeasy, silk rope, saran wrap, butt trumpet
Back Orifice 2000 (B02K) backdoor (bo_peep.dll, bo2k.exe, bo2kcfg.exe, bo2kgui.exe, bo3des.dll, umgr32.exe)
Backup fails on certain directories.  Fixed in SP2. (Q142671)
Backup - User Rights "back up files and directories" should be for Admin and Backup operators only.
Backup Time using the 24 hour time always users PM.  Fixed in SP2. (Q147552)
Backups - Make regular backups.  Not audited by default.  
   Add FullPrivilegeAuditing to hklm\system\CCS\Control\Lsa  reg_dword of 1
BackWeb - password in HKCU\SW\Backweb\Backweb\Communication
Banner Information - Go to HKLM | SW | Microsoft | Windows NT | CurrentVersion | Winlogon.
   Edit the LegalNoticeCaption and LegalNoticeText.
Base System Objects.  enable stronger protection on base objects.; no audit by default
BASIC HTTP Authentication enabled
BAT/CMD bug - Avoid using batch and command files on a server.  IIS 1.0 vulnerable.
Batch (*.BAT) files.  Do not allow *.bat extensions in CGI applications.
Berkeley "r" commands.  Disable any Berkeley "r" service (rlogin, rsh, rcp, rdist).
Beta 1, Service Pack 3 - Has a bug that may cause a DoS.  Upgrade to SP3. (Q141381)
BFTelnet Server v1.1 remote DoS attack (11/99, ntbugtraq)
BHSUPP.DLL - Use a strong password on this DLL.  Usd by the network monitor.
Bind - Do not allow binding to any port.
BIOS date value does not immediately update on Jan 1, 2000; apply post SP5 BIOS2-fix (Q216913)
BisonWare FTP Server 3.5 doesn't close old socket; buffer overflow (ntbugtraq 5/99)
BizTalk Server 2000 latest service pack is SP 2
BizTalk Server vul (KB815207)
Blank passwords - Do not allow.  Disable "Permit Blank Password" on the Policies menu.
blank password logins; apply post-SP4 hotfix (MS99-004; Q214840)
Boink - Delete boink files.  They cause a DoS. (Q179129)
Bonk - Delete bonk files.  they cause a DoS.
Boot - Restrict the boot process.  Disable booting from the floppy drive.
bootdisk - linux bootdisk can gain access to NT system (bootdisk.bin)
Boserve.exe usually has a virus in it; delete
BoSniffer - Trojanized BackOrfice
Brief 3.0 - Borland Brief 3.0 causes DoS.  Fixed in SP2. (Q163773)
Brown Orifice on Netscape uses Java to gain access; delete bohttpd files
browsing enabled for web directory on IIS
Brutus password cracker (brutus.exe and brutusA2.exe)
Bypass Traverse Checking granted to everyone; remove the Everyone group
Bypass Traverse Checking user right disabled could cause DoS in SP 1-3; Q177676
C2 Update patch for SP6 needed (Q244599)
cache - manager problems; not flushed on ide/atapi disks (Q179433) (Q153296)
cache bypass vulnerability with Outlook; install latest IE  (MS00-046; Q247638)
cached logons enabled
   hklm\sw\microsoft\windowsnt\currentversion\winlogon\  cachedlogonscount:reg_sz:0
Call (Excel) - see Excel
Carbo server
Cartman (cartman2.exe) can cause a DoS
Case Insensitive Filenames - Lowercase filenames are examined first.
case sensitivity vulnerability (3/99, ntbugtraq)
cc:Mail - Release 8 stores cleartext passwords in ~callmnt.bat.
CD-ROM allocation - unallocate.  Go to HKLM | SW | Microsoft | Windows NT | CurrentVersion | Winlogon.
     Add AllocateCDRoms, REG_DWORD = 1.
CD-ROM autorun enabled; 
   HKCU\SW\Microsoft\CV\Policies\Explorer\NoDriveTypeAutoRun  set DWORD value to 181
cd.. bug - Causes DoS in Windows NT 3.51 when using Samba.
Cerberus Internet Scanner (cis.exe) for info gathering
CGI Scripts - Disable directory browsing; can hang IIS (Q143484)
Chargen Flooding - Causes DoS.  Apply simptcp-fix.  (Q154460)
Chargen service enabled
Cheyenne Inoculan - Creates a shared directory, CHEYUPD$.  Change the shared permissions.
chntpw.exe - Password program used to gain access to NT
chunked encoding post vulnerability, IIS 4.0; install patch; Q252693
CIFS
Cirrus Logic Cards - Changing colors may cause a DoS.  Fixed in SP2. (Q160420)
CLASSPATH length limit - crashes IIS; can't load again (2/99, ntbugtraq)
ClientAccess
Client script debugging enabled on IIS
clip art vulnerability; install patch  MS00-015
Clipboard - Clear clipboard contents before logging off or locking your computer.
clipboard content in IE 4 may be made public by simple javascript code (2/99, ntbugtraq)
Clock - May cause DoS when set in digital display.  Fixed in SP3. (Q163936)
CMD.EXE - Don't use as CGI scripts.  Disable BAT/CMD files mapping.
Code.asp - sample IIS 4.0 file to view source code;  delete
Codebrws.asp - can view files is IIS 4.0; delete
Coke
ColdFusion (Allaire) security breaches- example apps; SQL; expression evaluator; update
   delete openfile.cfm, displayopenedfile.cfm, and exprcalc.cfm; install Allaire patch
ColdFusion outdated; latest version is MX 6.1
Command (*.CMD) files - Do not use in CGI applications.
Compact Discs - Some CDs can't be read.  Fixed in SP2. (Q142687)
Compaq Insight Manager - overwrites legal notice caption and text
Compaq Presario backdoor using Internet Explorer (Win 98) 
Compaq Proliant 6500 server and SP6 with NC31xx LAn cards causes BSOD; needs patch
Compatibility registry - restrict
component attribute vulnerability; Internet Explorer; patch (MS00-033, Q262509)
ControlIT - password encryption vulnerability
Controls folder registry - restrict
convlog.exe on IIS 3.0 gives incorrect dates;  install new convlog.exe (Q245329)
Cookies - Set your browser to not accept cookies.
cookie access vulnerability, IE; patch (MS00-033; Q262509)
CPU attacks - Apply the latest Service Pack and all hotfixes.
cpuhog - runs at priority level 15 and causes a very good denial of service.
CrashOnAuditFail and Auditing of ProcessTracking on NT 3.51 causes DoS
CrashOnAuditFail and Logon Enabled together may cause DoS - apply SP4
Creation date bug
Cross Frame Security - can read files on a user's computer - Affects IE 4.x.  Patch.
Cross Frame Variant can execute a script on a web site IE - load MSHTML update (Q221331)
Cross-Site Scripting Vulerability can inject code; patch (Q260347 and MS00-060)
CryptoAPI - backdoor with NSA
Cryptographic keys vulnerability, W2K; install SP1  (Q252325)
cscript.exe 
CSMMail - SMTP server with stack overflow problems
CSM Proxy
CSNW - Client Services for NetWare causes a DoS with ctrl+alt+del.  Fixed in SP3. (Q163874)
CSRSS worker threads can cause DoS; apply CSRSS-fix hotfix (Q233323 and MS 99-021)
Current Version Registry - Go to HKLM | SW | Microsoft | Windows | CurrentVersion 
    Set Run, RunOnce, and Uninstall to read only. (Q126713)
da Vinci - stores all data in .mdb file; can get personal info without password
DAT files - examine *.dat files.  They contain all web sites visited.
DataFactory registy needs to be protected  hklm\sw\microsoft\datafactory
Date and Time - Does not recognize Feb 29, 2000.  Install y2k-fix (Q175093)
Daylight Savings time lock up (3/99, ntbugtraq)
Dblclick fix outdated - bad win32.sys file
DCOM - Fails when client and server are on the same node.  Apply roll-up hotfix (roll-upi.exe).
DCOM configuration utility (dcomcnfg.exe)
DCOM enabled.  Disable.  Go to HKLM | SW | Microsoft | Ole.
     Change EnableDCOM to N.
Debug Rights - User Rights "Debug Programs" should be examined.  Remove users or groups.
debugger registry value - Admin group only
DeepThroat backdoor (remotecontrol.exe, patch.exe)
default passwords may exist in registry (winlogon, etc)
Deletion of files - files may have the wrong permissions and unauthorized users may delete files they didn't have access to.
desktop in W2K does not constrain applications; apply desktop patch (MS00-020, Q260197)
DHTML Edit vulnerability - apply patch (MS99-011)
Dial-Up Networking password cached - disable the RasMan Save password option
Dialer.exe - apply Dialer-fix, post SP5 (MS99-026)
DoS (Denial of Service) attacks - Apply the latest hotfixes.
Device Driver Rights - User rights "Load and unload device drivers" should be Admin only.
DHCP - Limit the use of DHCP services.
DIR ..\ - This causes a DoS in NT 3.51 with Samba client.
Direct Draw - hangs with S3 video adapter.  Fixed in SP3.
DirectDraw enabled
   hklm\sys\ccs\control\graphicsdrivers\DCI\Timeout  change REG_DWORD to 0
DirectX; update to 9.0b
Disc fix -fixes buffer problem for RRAS - apply disc-fix hotfix
Disk Administrator can corrupt partitions on NT 3.51 (Q135308).  Apply SP5.
Distributed denial of service attacks (tfn, trinoo, tk2k, stacheldraht)
DLLs - Do not all directories to have CHANGE permissions.
DNS AnswerCount - When greater than 0, DNS server will crash.  Apply dns-fix (dnsfix_i.exe).
DNS cache - Deleting the ARPA domain can cause a DoS.  Fixed in SP2. (Q163736)
DNS cached records - DNS may crash when changing TTL of cached records; Install SP4 (Q194168)
DNS Port Flood - Flooding port 53 (DNS) causes a DoS.  Apply dns-fix.
DNS Server - A bad network packet can lead to a DoS.  apply the dns-fix.
DNS queries - Failed DNS queries may lead to a DoS.  Fixed in SP2.
.doc file
Domain Control Server.  Monitor the network for additional servers which can gather information.
Domain controller trusts on W2K fail at LMCompatibility 4 or 5; install SP1  (Q257646)
Domain_Create_Alias
Domain Local Group Creation.  Users can create domain locla groups and cause a DoS.  
Domain Resolution vulnerability for IIS 4.0; apply iprftp-fix (MS99-039 and Q241562)
Dongle - Communications on a port dongle may fail.  Fixed in SP2. (Q143126, Q159144)
Dot Dot Bug - A URL with ..\.. can browse.  Upgrade to the latest IIS.
Double Byte Code Page - IIS vulnerable if in Japanese, Korean, Chinese; patch available
Download Behavior, IE5 (MS99-040); disable active scripting
Dreamweaver (Macromedia) - password in HKCU\SW\Macromedia\Dreamweaver\Sites\-Site(x)\
Driver Replacement - Can cause a DoS.  fixed in SP2. (Q160354)
Drives registry - restrict
Drivers32 registry - restrict
Drivers.desc registry - restrict
Dual Boot - Convert FAT to NTFS.  Do not allow FAT partition.
Dumpdel.exe - dumps event logs; delete from production servers
DDE Destroy Window - Causes a DoS.  Fixed in SP2. (Q158707)
EBCDIC characters.  May be unreadable.  Apply the SAG-fix (Q177471)
Echo Service.  Disable from Simple TCP/IP.  Go to HKLM | SYSYEM | CurrentControlSet | Services | SimpTcp | Parameters.
     Change EnabledTcpEcho and EnableUdpEcho to 0.
EditFlags not set to confirm before opening on Word, Excel, Powerpoint
Embed patch for Windows 95.  Fixes IE 4.01 vulnerability to DoS.  Install embd patch (em40195.exe).
Embedding registry - restrict
Emergency Repair disk.  Make ERD with rdisk /s and store in safe place.
Encapsulated SMTP Address vulnerability in MS Exchange 5.5 Server; apply imc-fix (MS99-027)
Escape Character Parsing vulnerability - apply patch; Q246401 and MS99-061
Eserv 2.50 web interface server directory traversal vulnerability (11/99, ntbugtraq)
Eudora 4.0/4.0.1 - an email message could execute an arbitrary command.  Upgrade to 4.0.2
Event Log - User Rights "access this computer from network" for Admin only. (Q164938)
Event Log - lack of notification when security event log gets filled up
Event Viewer Logs can't be saved remotely.  Fixed in SP2.  (Q156884)
Everyone Group - Replace users from Everyone Group into Authenticated Users group.
EvilFTP Backdoor (msrun.exe and fixit.exe)
Exair sample directory in IIS can lead to DoS; delete directory
Excel REGISTER.ID can reference any DLL; install Excel update  (Q269252; MS00-051)
Excel CALL - calls DLL without warning the user;  Apply Excel 97 CALL patch (Q196791)
Excel Macro Interpreter disabled (Q241900)
Excel macro vulnerability (MS03-050)
Excel Registry - only admin and system should have access
Excel Symbolic Link (SYLK) vulnerability; install SYLK patch; (MS99-044)
Excessive Login Attempts - Limit to 3 failed attempts on Policies | Account
Exchange Server 5.0 problems
Exchange 5.5 OWA Cross-Site Scripting vul (MS03-047 and KB 828489)
Exchange 5.5 problems (Q147222)
Exchange 5.5 service pack (latest is Service Pack 4)
Exchange Server Extended Verb Vulnerability (MS03-046 and KB829436)
Exchange Server LDAP Bind function vulnerability - apply DIR-fix hotfix (Q221989)
Exchange Server Protocols - apply STORE-FIX and IMS-FIX.  (MS98-007).
exchverify.log from Cheyenne for Exchange has plaintext password (3/99, ntbugtraq); InocuLAN
Excite Web Server 1.1 - Replace Perl file with architext_query.pl from www.excite.com
executable web directory
Execute Only files - With NetWare, can hide files.  Fixed in SP2. (Q157279)
exefile registry altered
  hklm\sw\classes\exefile\shell\open\command  <no name>:REG_SZ:"%1 "%*
Expired Passwords - User must log on to change password.  Admin changes expires password.
ExploreZip worm\virus\trojan; delete explore.zip and zipped_files.exe
   look for HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run and explore.exe or    _setup.exe (Cert Advisory CA-99-06)
Explorer.exe - do not make available on desktops in public areas
Explorer registry - restrict
Expression Evaluator in Allaire ColdFusion - needs patch (ASB99-01)
extension data in URL vulnerability; patch (MS00-030; Q260205)
Extensions registry - restrict
Eyedog ActiveX control not safe for scripting - apply eyedog-fix (Q240308)
FakeGINA.dll - trojan horse; delete file and registry setting in \winlogon and passlist.txt
FastTrack v3.01 - get/pub/head provides a directory listing
FAT file system
Fault Tolerant systems - Install scsi-fix.  Go to HKLM\SYSTEM\CurrentControlSet\Services\Disk
     Add ScanDisconnctedDevices  (Q171295)
favicon.ico (4/99, ntbugtraq)
favlist.htm is a default application in IIS 3.0 to make web pages; delete
Fesrc-fix hotfix missing on IIS (Q233335 and MS98-003)
File corruption - Rapid access changes file corruption.  Fixed in SP1.  (Q178303)
File Manager with MS Office 7.0 - sees files in NT 3.51
File Permission canonicalization vulnerability on IIS; patch  (MS00-057 and Q269862)
File Rename - A file may be deleted while it is renamed.  fixed in SP2.  (Q159071)
Find
Finger Service - Disable.
FirstClass Intranet Server stores clear text passwords
FirstWatch transition failures (Q171295)
Floppy Drive Allocation - HKLM\SW\Microsoft\NT\CurrentVersion\Winlogon
   Add AllocateFloppies and REG_DWORD=1
Fm20.dll - could be used to read or export text; remove  MS99-01 and Q214757
Fm20enu.dll - could be used to read or export text; remove  MS99-01 and Q214757
FoolProof - search memory for string "FOOLPROO" and next bytes are passwords
Footprint.* - A W97M.Footprint Word macro virus; delete
Force Shutdown Rights - User Rights "force shutdown from remote system" for Admin and Power Users
Forced Logoff - On PDC, Policies|Account.  Click "Forcibly Disconnect Remote Users From Server"
Form Data Submit Warning in IE should be set to prompt under security settings
Forms 2.0 - install patch to prevent exploit on user's clipboard (Q214757)
Fpcount.exe - has exploitable buffer overrun
FPNWCLNT.DLL - Delete if it exists.  Check HKLM\SYS\CCS\Control\Lsa\Notification Packages
Frag.c
Fragmentation Attack - Causes a DoS.  Fixed in SP3.
frame domain verification vulnerability, IE; patch (MS00-033; Q262509)
Frame Domain Verification vul II; IE; patch or load latest IE (MS00-055; Q266336)
Frame Navigation Enabled in IE 5.x; disable
Frame Spoof Vulnerability for IE - Apply frame spoof patch. (Q167614)
France attack - switch to French and CryptoAPI disables itself
Freiburg (Jabadoo) bug - IFRAME size 1 by 1 can capture text.  Fixed in IE 4.01.
Frontpage - IUSR account has full control.  Select good password.
Frontpage - http://www.com/_vti_pvt/administrators.pwd (_vti_pvt is world writable)
FrontPage Server Extensions (FPSE) vulnerabilities (MS03-051; KB813360)
FTGate Version 2.1 web interface server directory traversal vulnerability (11/99, ntbugtraq)
FTP - Ugraded the ftp service that comes with NT 3.51.
FTP connection requests on IIS 4.0.  Install ftpfix4i.exe  (MS98-006 and Q189262)
FTP Download vulnerability; install Iprftp-fix (Q241407)
FTP list - Bad list request after ftp can crash IIS; Install patch (Q188348, MS99-003)
FTP Serv-U 2.5 has buffer overflow problem (ntbugtraq 5/99)
Ftpls-fix hotfix missing on IIS (Q188348 and MS99-003)
FTPSVC.DLL in NT 3.51 has problems (Q131241).  Install SP5.
FTP.INI
Full Armor
Fun Love worm
Gasys.dll - part of getadmin; delete
GateCrasher backdoor (port.exe, port.dat, gc client.exe)
Generate Security Audits Rights, User rights - should be blank
GET ../.. can crash IIS.  Ugrade to latest IIS.
GET requests; malformed can cause DoS on IIS; install Infget-patch (Q192296)
   note: stop IISADMIN, SMTPSVC, and W3SVC services before installing patch (2/99, ntbug)
Getadmin - Apply getadmin-fix.  Set HKLM\SW\AntiShut with no permissions.  (Q146965)
getfile.cfm in Allaire Forums 2.0 allows anyone access on the server running Forums
Gina_x86.dll - trojan GINA; delete file 
      and in \HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon\GinaDLL registry
Gina-fix post-SP4 patch needed for SP3 and SP4 (Q214802)
Group Accts have wrong permissions.  check for rights and permissions.
Group Creation on a Domain. Use creatals.exe  (Q161990 and MS98-001)
Group Rights misconfigured.  Properly configure Group Rights.
GroupShield (NAI) for Exchange causes message loss
Grpconv - converting from 3.51 to 4.0 can cause DoS.  Fixed in SP2.  (Q157621)
Guest Account enabled.  Disable Guest account.
HackerShield creates NetectAgentAdmin$ account with same admin password on all machines
Handler Mapped File Extensions
Handshake bug - crashes Netscape Enterprise Server
Happy99 - A Trojan Horse; look for ska.exe and delete
Heavy Event Loging will cause DoS.  Fixed in SP3.
Help and Support Center Function vul (MS03-044 and KB825119)
help utility - buffer overrun; patch (MS99-015)(winhlp32-fix)
high encryption pack needed for W2K
High frequency of events will cause DoS.  Fixed in SP3.
Hit-Highlighting argument malformed; install the index server patch; Q251170, MS00-006
HKEY_CLASSES_ROOT - Restrict registry access.  Writable to Everyone on NT 3.51 by default.
HKEY_LOCAL_MACHINE not restricted
HostAnnouncement Flooding vulnerability; patch (MS00-036; Q262694)
Hotfix Rescinded - Delete old or rescindend hotfixes.
Hotfixes (post SP3 and post SP4)
Hotmail hole - can read email; can display false login screen using HTML STYLE tag
Hotspot (ntbugtraq 7/99)
HTML help file vulnerability, Internet Explorer; patch  (MS00-037, Q259166)
.htr file fragment reading vulnerability; ISMPT patch (MS00-031; Q260838)
Httpd
IBM DTTA 10.1 GB drives - size incorrectly reported (Q183654).  Apply atapi hotfix.
ICKill
ICMP bug - causes a DoS.  Apply teardrop2-fix.  (Q154174)
ICQ ActiveList Server exploit (NTBugtraq 10/99)
IDC file - used to learn the physical location of web service root directory (Q193689)
IE0199.exe - a trojan horse; delete
IE 3.x - Arbitrary commands may be executed.  Upgrade to IE 4.01 SP1 with patches.
IE 4.0 - apply Service Pack 2
IE 5.0 vulnerabilities - clipboard; crossframe; screen saver; files to remote server; 
   paste; disables task manager; alters cookie settings; schedule service; 
   favicon.ico; install Outlook 98 after IE 5.0 will crash the install
IE 5.0 - displays FTP user names and passwords at bottom of screen when accessing protected ftp site
IE 5.0 ImportExport favorites (MS99-037)
IE 5 installed on Windows 200 could lock up W2K;  Q255669
IE Cross Frame Navigate Vulnerablity (Q168485 and MS98-013)
IE Cuartango security hole - affects IE 4.x; cut and paste file in input type and name
IE drag and drop vulnerability (MS03-048)
IE ExecCommand Cross Domain vul (MS03-048)
IE function pointer override vul (MS03-048)
IE Object Tag vul (MS03-040 and KB828750)
IE Page Redirect - Authentication information coul be be captured.  Upgrade to IE 4.01.
IE Script URLs Cross Domain vulnerability (MS03-048)
IE Scripted Paste vulnerability - apply IE4USP.exe patch for IE 4.01
IE Task Scheduler vulnerability for IE5
IE Upgrade Trojan Horse - delete ie080898.exe and shell32.exe
IE XML Object vulnerability (MS03-048)
IFRAME ExecCommand Vulnerability; install MSHTML patch (Q243638; MS00-042)
IGMP - fragmented IGMP packets can cause DoS; apply IGMP-fix (MS99-034, Q238329)
Iis4-datafix hotfix missing from IIS 4.0 (Q188806 and MS98-003)
Iis4-ftpfix hotfix missing from IIS 4.0 (Q189262)
IIS 4.0 problems - apply QFE Update iis_hotfix
IIS application mapping of .htr, .stm, .idc can cause DoS; apply IIS ext-fix hotfix (Q234905)
IIS browsing may cause a DoS.  Fixed in SP2.
IIS exposes the host's local IP address (Q218180)
IIS GET Vulnerability - apply GET patch.
IIS vulnerability in IIS 2.0 and 3.0 - Server-side scripts can be viewed.  Install iis-fix.
IISADMPWD under \winnt\system32\inetsrv\iisadmpwd should be restricted to Admin only
   test with http://IP address/iisadmpwd/aexp3.htr
Iiscrash.exe can cause a DoS
Iishack.exe - Exploit than can cause DoS on IIS 4.0
ILOVEYOU worm
Image header vulnerability; apply SP6 (Q234557; MS99-023)
Image Source Redirect Vulnerability; install patch (Q251109, MS00-009)
IMail vulnerabilities (3/99 ntbugtraq); can cause DoS
Index Server 2.0 - opens AllowedPath in registry  (3/99. ntbugtraq)
   HKLM\System\CCS\Control\ContentIndex\Catalogs
Index Server error message vulnerability on W2K;  install SP1  (Q252463 and MS00-006)
Index Server Webhit vulnerability; apply patch   Q251170, MS00-006
IMG SRC Tag - can be used to point to files of any type - load MSHTML update
Initial Sequence Number vulnerability; patch (MS99-046, Q243835)
ImportExport Favorites in IE 5 (MS99-037)
Index Server needs a patch to prevent reading files;  MS00-006
Index Server Error Message vulnerability shows file paths; apply patch; MS00-006, Q252463
InetInfo - can crash if security permissions too restrictive
Infget-fix missing from IIS (Q192296 and MS98-019)
Infis virus
Inoculan (Cheyenne) - passwords in plain text
Insight Manager (Compaq)
Internet Anywhere Mail Server vulnerability (NTbugtraq 10/99)
Internet Explorer IE Script vulnerability; load up latest IE (IE 5.5)
Internet Mail
Internet Messaging Service, MS Exchange; apply imc patch (MS99-027)
Internet Settings registry - restrict
InterScan VirusWall 3.23/3.3 buffer overflow (11/99, ntbugtraq)
Invalid URL to IIS 4.0 can cause DoS; patch (Q271652 and MS00-063)
IoCompletionPort - DoS when a process does a raw disk I/O.  Fixed in SP2. (Q159204)
IOCTLs unprotected; can cause DoS; apply IOCTL-fix patch (MS99-024 and Q236359)
Iomega Zip Drive - ATAPI version may not access the disk.  Install zip-fix (Q154094)
IP address conflict - apply SP4.
IP Forwarding - disable.  Go to Network | Protocols | TCP/IP | Properties | Routing.  Deselect.
IP fragment reassembly vulnerability; patch (MS00-029, Q259728)
IParty - large numbers of ASCII 255 or Hex FF will close iParty chat program
IPC$
IRCXpro server password vul; latest version is 1.0.0.1464
IRDP allows unwanted routes
ISAPI extension vulnerability (3/99, ntbugtraq)
ISAPI scripts - don't run if you do not trust.
Ism.dll - can acess previous isapi app if IIS 4 was upgraded
ISN patch has regression error  (MS99-046, Q243835)
IUSR_COMPUTERNAME - Created with IIS.  Protect with good password or remove account.
Java Applets - Can cause a DoS with IE 3.x and 4.0.  Upgrade to 4.01.  (Q168748)
Java applet should be disabled in IE under security settings
Java Permissions - Java should not operate out of its sandbox.  Set IE Internet Options.
Java Runtime Environment Classloader vulnerability 
Javascript redirect vulnerabilityl apply patch  (Q244356; MS99-043)
JavaScript should be disabled under IE security settings
Java-fix - java-fix hotfix has been rescinded.  Delete.
Java VM applet could operate out of sandbox; install VM patch (Q271752 and MS00-059)
JavaWebServer
Jet 3.51 (ODBCJT32.DLL) can be controlled by a hacker; update to Jet 4
Jet 4.0 vulnerabilities; install Jet 4.0 Service Pack 8 (KB829558)
JetcoPkg.exe - this fix for Jet 4 still has vulnerabilities
Joe Account - Select good passwords.
Jolt - Also known as SSPING. Causes a DoS.  Apply teardrop-2 fix.
Joystick calibration.  Install joystick-fix hotfix. (Q177668)
JScript scripts - Install new JScript engine 3.1b.  (MS98-011 and Q191200),
Kernel Mode Handles - User mode programs may cause DoS.  Fixed in SP2. (Q160650)
kernel object attributes not protected
   hklm\sys\ccs\control\session manager\EnhancedSecurityLevel  REG_DWORD = 1
kernel-fix hotfix missing, SP4 (Q234557, MS99-023)
keygen
Killing Name Server
Kmddsp.tsp - buffer size problem; install disc-fix (discfixi.exe) (Q221331)
KnownDLLs list vul; set HKLM\SYS\CCS\Control\Session Manager\ProtectionMode:1 (MS99-006)
   (Q218473); apply the SMSS-FIX
Land Attack - Can cause DoS.  Install teardrop-2 fix.  (Q165005)
LANMAN passwords - Prevent LANMAN format.  Go to HKLM\SYS\CCS\contol\LSA.
     Add LMCompatibilityLevel with REG_DWORD value of 2.
LAN Manager Authentication Enabled
LanManager - This used to be fixed with the lm-hotfix.  No longer available.
Large CGI requests - Causes DoS.  For IIS 2.0 and 3.0 install iis-fix.
Large Files - Over 4GB causes DoS.  Fixed in SP2.  (Q160398)
Large RAM - Over 4 GB causes DoS.  Fixed in SP2.
Last User Name - To hide on server, go to HKLM\SW\Microsoft\Windows NT\CurrentVersion\Winlogon.
     Add DontDisplayLastUserName and value of 1.
Latierra - Can cause DoS.  Apply teardrop2-fix.
License Manager
Linux boot disk - Can be used to boot NTFS.  Don't make floppy bootable.
Linux RPC client attack potential on W2K; install SP1  (Q262388)
ListBox and ComboBox Control vul (MS03-045 and KB824141)
LMCompatabilityLevel  (Q175641) (Q147706)
LMCompatabilityLevel set to 3 may make shares unavailable; apply SP6  (Q236414)
LSA - An access violation could give access.  Apply the lsa-fix.
Local Security Policy Corruption in W2K can cause DoS; istall SP1 for W2K (Q269609 and MS00-062)
Lock pages in memory - User right "lock pages in memory" should be blank.
Lockout - Enable lockout after 3 failed login attempts.
Locks - High number of locks can cause DoS.  Fixed in SP3. (Q163143)
Log Rights - User rights "Manage auditing and security log" should be Admin only.
logical drives shared on server or workstation (AutoShareWks)
   (set hklm\sys\ccs\services\lanmanserver\parameters\AutoShareServer REG_DWORD = 0)
Logging On - Press Ctrl+Alt_Del before logging on.
Logon Rights - Some are not audited.  Fixed in SP3. (Q166478)
LogonType set to welcome screen istead of classic mode (XP); set LogonType=0 for classic mode
logon.scr - restrict; Everyone Read Only
Logs full - Set the shutdown option on a full audit log.  Go to HKLM\SYS\CCS\Control\Lsa
    Add CrashOnAuditFail and REG_DWORD = 1.
Long File Names - Use 8.3 complient file names,  Apply the sfn-fix hotfix. (Q190288 and MS98-008)
Long username vulnerability with smbclient
Lophtcrack - Do not allow on unauthorized systems.  Some versions store info in temp dir
LPC Port Request vulnerability; apply patch - Q247869 and MS00-003.
LSA malformed request causes DoS; apply LSA3-fix hotfix  (Q231457 and MS99-020)
LSA Secret Data - Users could display security information.  Install lsa2 hotfix. (Q184017)
LSASS.EXE memory usage
Lsass.exe memory leak, W2K;  install SP1  (Q258817)
LsarRemoveAccountRights - If used, may delete accounts.  Fixed in SP2. (Q159072)
Lyris listserver
Macintosh and Office 98 unwanted data (MS98-005)
Macromedia Dreamweaver - Passwords are stored.  Check HKCU\SW\Macromedia\Dreamwever\Sites.
Malformed Hit-Highlighting Argument vulnerability; apply patch; MS00-006, Q251170
Malformed HTTP request header - install hdbrk-fix  (Q238349)
Malformed outlook GMT Header vulnerability; upgrade IE  (MS00-043; Q267884)
Mandatory User Profile - Problem with userenv.dll.  Fixed in SP3.
Map Registers - Allocating large numbers of map registers may cause DoS.  Fixed in SP3. (Q167130)
Master File Table (MFT) will never shrink
MCI extensions registry - restrict
MCI registry - restrict
MDAC 2.x bugs; requires looser permissions than IIS in general; incompatible with 
inf4get-fix; can't update date in Excel
MDAC and IE5 (ntbugtraq 7/99) - upload the latest version of MDAC 2.1.1
mdac 2.0 installed in unsafe mode
MDAC 2.1 not compatible with Seagate Backup Exec
MDaemon
Media Services can cause DoS; patch (Q273014 and MS00-064)
Melissa macro word virus
Memory Dump files - Not generated when RAM exceeds 1.7 GB.  Install 2gcrash hotfix. (Q173277)
memory.dmp file may contain sensitive info; created with CP\System\Startup-shutdown
Mercantyle
Messenger Service.  Used for social engineering.  Disable Messenger service.
Messenger Service Buffer Overrun (MS03-043 and KB828035)
metainfo
Microsoft Access
Microsoft Excel
Microsoft Exchange Server Information Store - Causes DoS.  Fixed in SP3. (Q159176)
Microsoft Exchange Server protocols - breaks with SP4
   add HKLM\System\CurrentControlSet\Service\Tcpip\Parameters\UseIpStackAddresses (Dword=1)
Microsoft Messenger Service - passwords stored in the clear
Microsoft Peer Web Server
Microsoft Transaction Server - May give unauthorized access.  Apply roll-up fix.
Mimail worm; delete videodrv.exe
mIRC
mixed object access vulnerability, W2K; patch (MS00-026, Q259401)
MK Overrun bug - URL with mk:// may cause DoS.  Apply the IE4mkbuff patch.
   Go to HKLM\SW\Microsoft\Internet Explorer\mkenabled.  Set it to NO.
modified teardrip attack
ModuleUsage registry - restrict
Monopoly.vbs - trojan horse
Mount - Mount \\server\c$ by default.  Fixed in SP3.
MoveFileEx may cause a DoS.  Fixed in SP2. (Q160658)
Moving files - Moving files on same volume may cause DoS.  Fixed in SP2. (Q159137)
Mprexe.dll is a trojan horse; delete
MS Access 1.x - An SID can be pasted over a table to gain access.  Upgrade to latest NS Access.
MS Backoffice - Buffer overflow problem.
MS-CAPI; all modules signed by one key; possible to replace trusted signing key
MS Excel - see Excel
MS Exchange - not secured from relaying
MS Exchange 5.0 - Service Account is vulnerable to password guessing.  Disable the SA.
MS Office 97 vulnerability - will not confirm when opening word, excel, or powerpoint
MS Personal Web Server (Frontpage) - download files with http://www.com/....../ on Win 9x
MS Proxy 2.0 - can bypass packet filtering with Ctrl-J
MS Proxy Server 2.0 ftp WebProxy leak (ntbugtraq 7/99)
Msadc directory unrestricted - change to Admin, SYSTEM Full control only (MS99-025)
msadc.dll
MSFTSVC service - Disable.  Go to HKLM\SYS\CCS\Services\MSFTPSVC\Paramaters.
   Set EnablePortAttack to REG_DWORD value of 0.
MSGINA.DLL can be Trojanized - Don't allow \system32 to have CHANGE privileges. (Q151082)
MSHTML vulnerability - apply patch (MS99-012)
MSN Messenger Service reveals user's password; apply latest version
Msv1_0.dll - With SP4, can allow blank password; apply Msv1-fix hotfix (Q214840)
Multi-Processor Systems.  May cause a DoS.  Fixed in SP2.  (Q140065)
multi-processor upgrade issues
Multiprocessor using Halsp.dll - May cause a DoS.  Fixed in SP2.
Multi-threaded SSP ISAPI filter vulnerability allows unencrypted data.  MS99-053, Q244613
name release datagrams not ignored on W2K;  add to registry
   HKLM\SYSTEM\CCS\Services\NetBT\Parameters\NoNameReleaseOnDemand reg_dword:1
nat.exe - password cracker
NBTSTAT - Used for info gathering.  Disable nbtstat.exe on sensitive machines.
Ncx.exe and Ncx99.exe - Trojan horses
NDIS drivers - Can cause DoS when used with unnecessary filter drivers.  Apply ndis-fix (Q156655)
NDIS.SYS crashing under SP5 (ntbugtraq 7/99)
NDS - DoS when long NetWare Directory Services are used.  Fixed in SP2. (Q156091)
NDS Map Objects - Causes DoS when logging to a NetWare 4 server.  Fixed in SP3. (Q162077)
Net.exe
NetBEUI problems on NT 3.51.  Apply NT 3.51 SP5.
NetBIOS - Causes DoS.  Remove the bindings between NetBIOS and TCP/IP.
NetBIOS name server protocol spoofing vulnerability; patch (MS00-047 and Q269239)
NetBIOS padding vul (KB824105)
NetBT - Crashes if 6 IP addresses from WINS Server is sent.  Fixed in SP3. (Q163883)
NetBus - trojan horse and/or monitoring device; delete
NetCPlus SmartServer3 POP 3.51.1 exploit (11/99, ntbugtraq)
NetDDE - fails to relay terminate response; apply NetDDE-fix  (Q231337)
NetectAgentAdmin$ account (from HackerShield) has non-random same admin password
Netldx.vxd - part of the W97M.marker virus for Word; delete
Netlogon protocol vulnerability; upgrade to SP4 or better (ntbugtraq - Jun 5, 2000)
NetManage - buffer overflow with username > 150 characters or GET >519 characters
NetMeeting - Speed Dial can cause a DoS.  Upgrade to latest Netmeeting.
NetMonExploit.tgz - bhsupp.dll password cracker for Network Monitor
Netscape 4.7 buffer overflow
Netscape - Earlier versions had security problems.  Upgrade to 4.07.
Netscape Bell Labs Privacy Bug - affects Navigator 2.0, 3.0 and Communicator 4.01.  Sees web site addresses
Netscape Brumleve Cache Bug - Reads URLs from a user's cache on Nav 3.x and Comm 4.0 to 4.06.
Netscape Cache Cow - same as Brumleve cache dump
Netscape Communicator - security problems in old versions; upgrade to 4.61
Netscape Danish Privacy Bug - Retrieves known files on Nav 2.0 and 3.0 and Comm 4.0.
Netscape Enterprise Server buffer overflow; apply 3.6 SP2 SSL Handshake fix
Netscape FastTrack Server buffer overflow
Netscape French Privacy Bug - observes user's preference files on Communicator.
Netscape Injection bug - affects Nav 3.x, Comm 4.0 to 4.07, Comm 4.5.
Netscape javascript bug - cache theft and CGI submissions using GET.  Up to Communicator 4.07
Netscape Long File Mail Vulnerability - can cause DoS in Communicator
Netscape Messenger - executing malicious JavaScript can cause DoS.
Netscape Million Question Vulnerability - could decrypt SSL on server - patch.
Netscape Navigator using Mail Notification 4.5 has password in registry (3/99, Ntbugtraq)
Netscape PageServices /?PageServices can read files in Netscape Enterprise 3.5.1 server
Netscape parser - Netscape 4.x will crash when given a content-type of "internal/parser"
Netscape Preferences Bug - can read the prefs.js in Communicator 4.0 to 4.04.
Netscape Santa Barbara Privacy Bug - Can see a user's browser information on Communicator.
Netscape Singapore Privacy Bug - Can see visited URLs and data in HTML forms in Communicator.
Netscape "Son of Cache-Cow" Vulnerability in Communicator 4.07
Netscape Tracker Bug - sees web sites visited, cookie and form submission in Navigator 3.0
NetShield
NetSphere backdoor (nssx.exe, netshpereclient.exe, netsphereserver.exe)
Netstat.exe
Net View
NetWare client (v 4.10) for Terminal Server allows too much privilege; load latest client
Network Adapters - Using 2 causes DoS.  Fixed in SP2. (Q159108)
Network Monitor
network monitoring agent running - disable
Network Interface cards - If host is outside a firewall, could be an entry point for a hacker.
Network Monitor - Could be used a a network sniffer.  Use a strong password.
NetXtray - buffer overrun > 65 characters
Newdsn.exe - Under IIS 3.0 can be used to create files.  Delete newdsn.exe.
Newtear - causes a DoS.  apply the teardrop-2 fix.
NFS - Disable NFS services.  Examine Server Manager | Shared directories
NNTP problems (Q188369 and MS98-007)
Nobo bobo back orfice scanner - crashes with find /|nc -u 10.1.1.17 31337 (netcat)
Norton Antivirus for Internet Email Gateways 1.0.1.7 stores password in clear
Norton Antivirus for MS Exchange 1.5 stores password in the registry
Notification Package - Examine HKLM\SYS\CCS\Control\Lsa. (Q161990)
NSAkey - backdoor in CryptoAPI
NT LM SSP - Disable this service.  Could be used to capture passwords.
NTBACKUP - Fails to backup when running MS Exchange Server.  Fixed in SP3. (Q164161)
Ntcrash
NTFS file corruption for > 4 million files; apply ntfs-fix (Q229607)
NTFS Formatted Media.  Removable media in NTFS does not eject.  Fixed in SP2. (Q148525)
NTFS meta-files - Opening certain NTFS metafiles can cause DoS.  Fixed in SP2. (Q142648)
NTFSDOS.EXE - A DOS floppy with tnfsdos.exe can boot the system.  Don't make the floppy bootable.
Ntis.exe - used for information gathering and web server vulnerabilities
NTLDR - replace the ntldr file on the boot drive with the file from the 4.0 cd-rom.
NTmail - crash with telnet to 25; issue "vrfy" and send > 1040 characters
NukeNabber
NullSessionPipes  (Q143138)
Object Rights - User Rights "create permanent shared objects" should be blank.
OBJECT tag vulnerability with Office 2000; patch (Q269368 and MS00-056)
ODBC - The trace DLL, odbctrac.dll, should be deleted.
Office 2003 vulnerabilities (KB828041)
Office HTML script containing Excel or PP object;  patch  (MS00-049; Q268365)
Office ODBC Driver vulnerability; install ODBC driver vulnerability security update (MS99-030)
offline pasword and registry editor detected; delete bd000607.img boot disk
OLE registry - Go to HKLM\SW\Microsoft\Ole.  There should be not write access for non-admins.
OOB (Out of Band) - Causes DoS.  Install teardrop-2 fix hotfix. (Q143478)
OpenNT
Opera web server outdated (latest is 7.23)
Operating System Priv - User rights "act as part of the o/s" should be blank
Option Pack 4.0 problems - Apply QFE fix
Oracle - passwords in plaintext with oracle 8.0.3 and Oracle Database Assistant v1.0
OS/2 - network client connected to NT server may cause DoS.  Fixed in SP1.  (Q156832)
OS/2 Subsystem - Go to HKLM\SYS\CCS\Control\Session Manager\SubSystems.  Remove Os2 from Optional.
Os2LibPath registry value exists in HKLM\System\CCS\Control\Session Manager\Environment
Outlook 98 security issues - long filenames  (MS98-008); install Outlook Express File patch
Outlook 98 - if installed after IE 5.0, the install will crash
Outlook Express 5.0 can crash with outdated s/mime certificates (3/99, ntbugtraq)
Out-of-Process MS Transaction Server problems (Q147222)
Overwrite Events as Needed selected in event log; select another type of event log wrapping
Ownership Rights - User rights "take ownership of files" should be Admin only.
Padlock-IT - passwords in Padlock-it.dat
Page File - Clear page file.  Go to HKLM\SYS\CCS\Control\Session Manager\Memory Management.
   Set the reg-dword value of ClearPageFileAtShutdown to 1.
Pagefile Rights - User rights "create a pagefile" should only be Admin.
page redirect issue for IE 3.02 and 4.0  
Palace
parent path
passfilt.dll - Go to HKLM\SYS\CCS\Control\Lsa.  Add PASSFILT to Notification Packages.  (Q161990)
passwd1 and passwd1.lc found in TEMP file; files from l0phtcrack
password appraiser - by quakenbush; may sent passwords over the internet in the clear
password caching
password change cancelled - Can't unlock wks when changing.  Fixed in SP3. (Q163616)
password change in User Manager may cause DoS.  Fixed in SP3.  (Q140967)
passwordlinux.IMA - image file to set admin password; delete
passwords - select good passwords.
passwords greater than 14 characters may cause DoS
Patch registry value (netbus) trojan horse in the windows run registry
PATH - NT has insecure path and always has a .\ directory.
PCAnywhere - DoS with 200K of garbage; needs a patched aw32tcp.dll  (NTB 5/99)
PCAnyWhere 7.5 - When used to upgrade an NT, may cause a DoS.  Upgrade PCAnyWhere.
PCAnyWhere 8.0 - apply upgrade patch B disables screen saver; incompatible with roll-up fix; needs aw32tcp.dll patch
PCMCIA - Some PCMCIA devices mays cause DoS.  Fixed in SP2. (Q108261)
PDC with long name - security policies may not get applied.  Fixed in SP3. (Q163875)
PDC with long name truncated - Names are truncated to 13 characters.  (Q164812)
Peer Web Server should not be on an individual machine
Pentium Processor - An invalid operand can cause a DoS.  Apply pent-fix.  (Q163852)
Perflib - Go to HKLM\SW\Microsoft\Windows NT\CurrentVersion\Perflib.  Set users to READ access.  (Q146906)
Perflib registry - restrict
Performance Counter - calling for one not installed causes DoS (Q234351); install Perfctrs-fix hotfix
Performance data unrestricted
period in URL - may reveal ASP code on IIS
PERL - Do not put perl into a web server's cgi bin directory.
persistent link to Outlook Express;  get latest IE  (MS00-045; Q261255)
Personal Web Server - Strings > 159 characters may cause DoS.
PFCUser account vulnerability in the Compaq Insight Mgt Agents
Phaze Zero Backdoor (msgsvr32.exe)
Ping - ping.exe may cause DoS.  Fixed in SP3.  (Q163196)
Ping - Large numbers may cause DoS.  Fixed in SP3.  (Q162542)
PKCS
Plain Text Password Authentication Enabled - disable  (Q166730) (Q244627 for W2K)
Plain text passwords not recognized on W2K;  install SP1  (Q257292)
Platinum PCM - send lots of data to a port where smaxagent.exe is listening (1827) causes DoS
Plug and Play device driver update (KB822831)
Pnserver
Policy Changes - Policies may not be updated.  Fixed in SP2.  (Q157673)
Policy Editor - Security policies may be lost.  Fixed in SP3.  (Q162774)
Port 135 (RPC) - May cause a DoS.  Install rpcfix hotfix.
port locking not enabled
   hklm\sys\ccs\services\netbt\parameters\EnablePortLocking  REG_DWORD = 1
Portal of Doom backdoor (portal.exe, server.exe, ljsgz.exe)
Ports registry - restrict
POSIX - Go to HKLM\SYS\CCS\Control\Session Manager\SubSystems.  Remove posix from Optional.
PowerPoint - If used with IE 3.x/4.x, apply the PPTWarn.exe patch.
PowerPoint Options Registry - only Admin and System should have access
PPP logging not enabled
PPTP - An improper PPTP could cause a DoS.  Install the pptp2-fix hotfix. (Q167040)
PPTP with TCP/IP may cause a DoS.  Fixed in SP2.  (Q158387)
PPTP Hotfix 3 - New fix.  Install pptp3-fix  (Q167040 and Q189771 and MS98-012)
Preloader ActiveX Control vulnerability; install server-side patch  (MS99-018, Q231432)
Pretty Park worm (prettypark.exe, files32.vxd)
Printer Driver - Restrict.  Go to HKLM\SYS\CCS\Control\Print\Providers\LanMan Print Services\Servers.
    Create AddPrinterDrivers and REG_DWORD = 1.
Printing to parallel port, computer may not reset during NT shutdown and restart (Q181022)
Print Provider Permissions incorrect; install spooler fix  (Q243649, MS99-047)
Priority Level 15 - Programs at priority level 15 may cause DoS.  fixed in SP3.  (Q135707)
ProductOption registry key - If deleted, causes DoS.  Fixed in SP1.  (Q142655)
ProfileList registry - restrict
Profile Single Process - User rights "profile single process" should be Admin and Power Users only.
Profile permissions
Profile System Performance - User rights "profile system performance" should be Admin only.
ProMail v1.21 freeware mail program may be a trojan
protected store key only uses 40 bit encryption on W2K;  apply patch or SP1  (MS00-032; Q260219)
ProtectionMode should be enabled.  Go to HKLM\SYS\CCS\Control\Session Manager
    Add ProtectionMode with REG_DWORD of 1.  (MS99-006)
Protocols - Go to Start | Settings | Control Panel | Networks | Protocols and delete any unnecessary ones.
PWD password file for MS Access in plain text; restrict the CommDB registry
    HKLM\Software\ODBC\ODBC.INI\CommDB\PWD
Pwdump and pwdump2 can dump SAM passwords
PWL files - Do not allow *.pwl files as they are Windows 95 password files that are weak.
Qhosts Trojan Horse changes DNS server settings
Qmail has stray line feeds
Quakenbrush password cracker
Quota Rights - User Rights "increase quotas" should be admin only.
QVT/Term Plus 4.2d FTP server vulnerability (11/99, ntbugtraq)
RADIUS Server - with SP4, can authenticate as a non-existent user using PAP
RAS - Go to HKLM\SYS\CCS\Services\RemoteAccess\Parameters.  Examine contents.
RAS logging not enabled
RAS phonebook entry has unchecked buffer - apply SP5 and RAS-fix hotfix
RAS Cache Password - apply SP5 and RASPassword fix hotfix (MS99-017)(Q230681)
RAS PPTP
RAS with modems have performance degradation -  Fixed in SP2.  (Q148378)
RASMAN fix (MS99-041)
RasMan password - dial up network can save password for each dial up connection
  add hklm\system\currentcontrolset\services\rasman\parameters\DisableSavePassword (dword=1)
RASMAN Security Descripter vulnerability; apply Rasman-fix (Q242294; MS99-041)
RASMAN service permisions problem; can repoint the service to a different executable than the default
Raspptpe.sys may cause DoS.  Install the pptp2 hotfix.  (Q179107)
rcmd Service - remote users can execute commands.  Comes with the NT Resource Kit.  Remove.
RDISK may save temp file that conains reg keys; install rdisk patch; Q249108, MS00-004.
RDO Attacks
RDS security implications (Q184375 and MS98-004; ntbugtraq 7/99)
Real Player
RealNetworks RealServer G2 buffer overflow (11/99, ntbugtraq)
Reboot.ini may have passwords; delete from BackOffice Server 4.0 (2/99, ntbugtraq)
Recycle Bin Creation vulnerability; install patch;  MS00-007 and Q248399
RedButton - NT is vulnerable to RedButton attack thru Everyone group..  Remove Everyone group
Redirect bug - URL can be made to redirect a bat files.  Do not all bat or cmd files mapped to cmd.exe by IIS.
Redirector Driver vulnerability; patch (MS00-036, Q262694)
Redirector Network Performance degraded; disable the file sysem control filter; Q249799
REG files - View reg files before writing it to the registry.  Select edit instead of merge for file types.
Regedit command key - Go to HKLM\SW\Classes\regfile\shell\open.  Change regedit.exe to wordpad.exe.
Regfile Command Registry - Go to HKLM\SW\Classes\regfile\shell\open.  No write access for non-admin.
Registry Access - Go to HKLM\SYS\CCS\Control\SecurePipeServers.  Add winreg with Admin full control.  (Q155363)
Registry has plaintext passwords
Registry Run Key - Go to HKLM\SW\Microsoft\Windows\CV\Run.  Everyone should have READ only.
Registry tools disabled; "disable the registry editing tools" and select not configured or disabled
Release Candidate (RC) of a service pack - not the real version (RTM)
Remote Administrator - Disallow Admin Group remote access on the Policies menu.
Remote Data Service (RDS) - disable  (Q184375)
Remote Explorer Virus
REPLACE problems  (Q156095)
Remote Data Services (RDS).  Disable HKLM\SYS\CCS\Services\W3SVC\Paramters\ADCLaunch\  (MS98-004)
remote registry access authentication vulnerability; patch (MS00-040, Q264684)
Remote Shell (RSH).  Do not allow the RSH service.
Remote Users have no expiration - Go to User Manager | Policies | Account and select "Forcibly disconnect ..."
Removable media - Control access to removable meida, floppies and CDs.
Renamed executables - Examine files carefully so that doc files, etc wont run.
RenameFiles registry - restrict
Repair directory - Select \repair Properties | Security | Permissions and give Everyone no access.
REPLACE - The REPLACE command may replace wrong files.  Fixed in SP2.
Replace Process Level Token - User rights "replace a process level token" should be blank.
RES - Long res:// URLs causes a buffer overflow in IE 4.0 for Windows 95 only.  Upgrade.
ResetBrowser Frame vulnerability ; patch  (MS00-036; Q262694)
Resource Enumeration Argument Vulnerability; install the server service patch (Q246045, MS99-055)
Restore Rights - User rights "restore files and directories" should be Admin and Backup only.
RestrictAnonymous - Go to HKLM\SYS\CCS\Lsa and add RestrictAnonymous with value of 1.  (Q143474)
REXEC Service - Disable the REXEC service.
RFPoison program can cause DoS
RIF - Routing Information Field with bad data on a token ring will cause a DoS.
RingZero Trojan Horse (its.exe and ring0.vxd)
RISC computers using SSL with IE 3.0 is insecure.  Fixed in SP1.  (Q142656)
roaming files cached; disable  hklm\sw\ms\windows nt\currentversion\winlogon
   add DeleteRoamingCache  REG_DWORD 1
RogueX detected; network portscanner
Rollback.exe - This program can wipe out registry entries.  Delete if it exists.
Rollup-fix hotfix missing, SP4 (Q195734)
RPC - RPC call hangs NT  (Q159176) (Q149819)
RPC - RPC over TCP/IP may cause a DoS.  Apply the roll-up hotfix.
Rpc directory unrestricted (hklm\sw\ms\Rpc) - remove Everyone and replace with Authenticated Users
RPC packet vulnerability in W2K; patch  (MS00-066 and Q272303)
RPCSS activation packet vul (MS03-039 and KB824146)
RRAS and SP5 (ntbugtraq 7/99)
RRAS password cache; apply SP5 and RRASPassword hotfix (MS-99-017)(q233303)
RRAS upgrade - rras20-fix (Q168469)
RRAS upgrade - rras30-fix  (Q189594)
RtKit trojan horse
RTF file viewer vulnerability - Q249973 and MS00-005.
Rtools
Run, RunOnce, RunOnceEx, and Uninstall registries need to be restricted
Rundll and Rundll32 is a trojan horse; delete; examine HKLM\SW\Microsoft\Windows\CV\Run
RunOnce and SP5 may have programs in the registry that are not deleted
SAM._ - Do not give the \winnt\repair\SAM._ any permissions.
Samba server (3/99, ntbugtraq)
Sambar
sandbox mode disabled (reg_dword set to 0)
   hklm\microsoft\Jet\3.5 (or 4.0)\Engines  SandboxMode:Reg_dword:2
Scanners - Do not allow scanners such as SATAN, Portscan, or NetProbe.
Schannel.dll - Use the 128 bit version.  It should say "US and Canada" not "Export Version"  (Q148427)
Schannel.dll, 40-bit version, has bad internal key; install correct version (Q247367)
Schedule Services - Disable this service.
Schedule key - Go to HKLM\SYS\CCS\Services\Schedule and remove write access to Server Operators.
Scheduling Rights - User rights "increase scheduling priority" should be Admin and Power Users only.
Scopy
Screen Saver - Enable with password protection.  Go to HKEY_USERS\Default\ControlPanel\Desktop
   Set the values of ScreenSaveActive and ScreenSaverlsSecure to 1
Screen saver password with account lockout (Q188700)
screen saver settings for policy may not be applied on W2K;  install SP1  (Q257939)
screen saver vulnerability (MS99-008; Q221991); ScrnSav-fix
script activex controls marked safe for scripting. IE 5.x
Scriptlet.typlib ActiveX control not safe for scripting;  apply Eyedog-fix (Q240308)
Scripts directory in \winnt\system32\inetsrv should be restricted to only admin
Scriptlet Rendering vulnerability; IE;  patch or latest IE  (Q266336; MS00-055)
Scrnsav-fix hotfix missing, SP4 (Q221991)
Scrrun.dll - Not needed; used by viruses; delete (CIAC J-018)
Seagate Backup Exec virus scanning s/w can delete visual basic class files (2/99, ntbug)
Seattle Lab Sendmail - A buffer overflow exists in v2.5.  do not use.
Serv-U FTP
setup.iss (\winnt\setup.iss) may have passwords included in the file
SAM - Protect the SAM, repair directory, and ERD.
SCM - sets the registry key value for FullPrivilegeAuditing incorrectly (ntbugtraq 8/99)
Seagate Backup Exec 7.2 Exchange Agent leaks memory; update to 7.2.1616
Secevent.evt file permission - give only admin and system full control
sechole vulnerability (sechole.exe) - apply priv-fix or SP5 (Q190288 and MS98-009)
secure desktop disabled on W2K;  enable  (Q260197 and MS00-020)
   HKLM\SW\Microsoft\Windows NT\CurrentVersion\Windows\SecureDesktop  reg-dword:1
Security Event Log - Apply SP4.
Security Identifier Request Vulnerability, LSA; install syskey hotfix (Q248185, MS99-057)
security.log - should only have admin and system full control; no R or W for anyone else
Security Log - Go to Event Viewer | Log | Log Settings.  Enable "Do Not Overwrite Events ..."
Server-side page reference redirect vulnerability; install the server-side patch (Q246094, MS99-050)
service control manager (SCM) (service.exe) could impersonate a service; patch  (MS00-053; Q269523)
Service Pack - Load the latest.  Go to HJLM\SW\Microsoft\Windows NT\CurrentVersion.  CSDVersion should be 6.
Service Pack 1 should be installed on W2K  (Q260910)
Service Pack 2 - May cause loss of connectivity in remote access.  Fixed in SP3 and ras-fix hotfix.
service.exe - distributed denial of service attack (trinoo); kill the service and file
services - passwords stored in the clear
Setup registry - restrict
Setup with Win32k.sys - during setup, may cause a DoS.  Fixed in SP2.
Shade package
Shadow Security Scanner can crack passwords; delete sss.exe and suc.exe
SharedDLLs registry - restrict
Shares - Do not allow shares.
Shell Extensions registry - restrict
shell path specifies relative path and not absolute path;  patch  (Q269049; MS00-052)
Shockwave - Can be used to read Netscape mail.  Do not install Shockwave or use Netscape for mail.
short filename problem with IIS 4.0 and PWS 4.0  (Q179148)
showcode.asp - can be used to view files is IIS 4.0; delete
Shutdown - Go to HKLM\SW\Microsoft\Windows NT\CurrentVersion\Winlogon.  
    Set ShutdownWithoutLogon with REG-SZ of 1.
SID and MS Access - A SID can be read from Access and pasted over a SID in the MSysAccounts table for access
sid2user and user2sid - used to discover admin and other accounts
simple tcp/ip attacks - Q154460
Site Server stores account name and password in clear text (3/99, ntbugtraq)
Site Server and cookies (MS99-035)
SLIP connection - NT can lock up while copying files via RAS over SLIP.  Apply the wan hotfix. (Q163251)
SLMail - no password encryption in HKLM\Software\Seattle Lab\SLMail\Users; also DoS
   disable remote administration
Sluter worm
SMAPI port vulnerability causing a DoS on W2K;  install SP1  (Q258060)
SMB - Do not use SMB 2.0 or earlier.  They use plaintext passwords.
SMB downgrade
SMB logon - During a SMB logon request, may cause a DoS.  Apply the srv-fix.
Smbclient
SMC Elite Ultra NIC - On NT 3.51, causes a DoS.  Upgrade to NT 4.0 or SP5.
Smss hotfix missing on SP4 (Q218473)
SMTP - DoS in Exchange Server; causes mail stop  (Q188341 and Q188369)
smtpsvc.dll - latest one patches to version v5.5.1877.18
SMURF - SMURF is a DoS attack.  Apply teardrop2 hotfix.
SNA Server 2.11 - Disables secure certificates.  Fixed in SP2.  (Q148602)
SNA Services - Disable AFTP, NVAlert, and NVRunCmd services.
snapshot viewer vul (MS03-038 and KB827104)
SNMP - Disable this service.  If used, make sure the public community is not in the Accepted list.
SNMP Community Registry - Go to HKLM\SYS\CCS\Service\SNMP\Parameters\ValidCommunities.  Don't give READ access
SNMP OID - Incorrectly identifies the wrong type of operating system and Object ID.  Fixed in SP2.  (Q154784)
SNMP Query - Queries are the same for workstation and server.  Fixed in SP2.  (Q163837)
Snmputil.exe - used for information gathering; found on NT resource kit; delete
Snooping - Look for snooping tools such as IP-Watcher and MS SMS Netmon.
Snork - RPC Spoofing DoS caused by infinite REJECT loop (Q193233 and MS98-014)
Sndvol.exe is a trojan horse; delete
Sober worm
SoftArc FirstClass Intranet server and client s/w stores clear text paswords
Source routing enabled; disable (Q217336)
Specialized header vulnerability, IIS 5.0 on W2K; install SP1 (Q256888 and MS00-058)
Spoofed Route Pointer vulnerability; need post SP5 spoof-fix hotfix (MS99-038)
spooleak.exe is a DoS program that exploits SPOOLSS.EXE
spooler can crash or run arbitrary code;  apply spooler patch (MS99-047, Q243649)
Spoolsploit.exe and spoolhack.dll exploits the spooler service
SPOOLSS - Go to HKLM\SYS\CCS\Services\LanmanServer\Parameters.  Delete SPOOLSS from NullSessionPipes.  (Q143138)
SPX - data stream may reset  (Q153665)
SQL - SQL Server 6.0 and 6.5 stores userid and password in clear text (3/99- ntbugtraq)
SQL DTS password can be retrieved;  patch  (MS00-041; Q264880)
SQL integrated security mode not enabled
  hklm\sw\microsoft\mssqlserver\mssqlserver  loginmode:reg_dword:1
SQL query abuse vulnerability; apply SQL server 7.0 patch
SQL server 7.0 linked server password vulnerability (11/99, ntbugtraq)
SQL stored procedures permission vulnerability;  patch  (MS00-048; Q266766)
sqlsp.log SQL Server 7.0 log file may have accounts and plain text passwords
SSL and IIS vulnerability (ntbugtraq 7/99)
SSL Cerificate Validation Vulnerability, Internet Explorer; patch (MS00-039, Q254902)
SSL encryption - use 128 bit schannel.dll (MS98-002 and Q148427)
SSL ISAPI filter vulnerability; install the SSL ISAPI filter patch (MS99-053, Q244613)
SSPING - SSPING can cause DoS.  Apply the teardrop-2 hotfix.
Startup programs (explorer.exe, userinit.exe, nddeagnt.exe) found in system drive (c:\)  delete
Still Image Service, W2K unchecked buffer allows admin; patch (Q272736 and MS00-065)
SubmitControl - HKLM|SYS|CCS|Control|Lsa|SubmitControl and set to 0.
Sun Java Virtual Machine; latest is 1.4.2_02
Surfairy error-page hijacker
Symantic Ghost - error when ghosting SP4 installations - updated your ghost
SYN Attack Protection not enabled  
   HKLM\sys\ccs\services\tcpip\parameters\  synattackprotect:reg_dword:2
SYN flood attack - Can cause a DoS.  Apply the teardrop-2 fix.  This has a better tcpip.sys file.  (Q142641)
Syscalls
SysCopy registry value (netbus) trojan horse
SysEvent.Evt file permission - Admin and system access only
SYSKEY - Run syskey.exe to strongly encrypt password information.  Stops Lophtcrack.  (Q143475)
Syskey keystream reuse vulnerability; apply syskey hotfix (Q248183, MS99-056)
System Event Log - Go to HKLM\SYS\CCS\Services\EventLog\System.  
       Create RestrictGuessAccess with REG_DWORD of 1.
System Time - User rights "change the system time" should be Admin and Power Users only.
Taskmanager - Guest account should not have access to the taskmgr.exe file
take ownership - assigns wrong ownership in SP1-3; Q183054
TAPI 2.1 - There are problems with TAPI 2.1 to cause a DoS.  Install the tapi21 hotfix.  (Q179187)
TCP chorusing
TCP Sequence Numbers predictable; fixed with SP5;  (Q192292)
TCP/IP - TCP/IP causes time waits of over 4 minutes.  Apply the iis4-fix.  (Q169274)
TCP/IP Initial Sequence Numbers (ISN) not random enough (Q243835, MS99-046)
TCP/IP Print Request Vulnerability running lpd service; install patch  (MS00-021; Q257870)
tcpip.sys - Earlier versions are vulnerable.  Apply the teardrop 2 hotfix.
Tcpip.sys on multiprocessor is bad - apply post SP4 tcpip-fix
TDS packet header vulnerability, SQL Server - apply patch; Q248749, MS99-059
Teardrop - Can cause a DoS.  Apply the teardrop2-fix.  (Q179129)
Telnet 1031 - Telnet to 1031 (inetinfo) can cause a DoS.  Apply SP3.
Telnet 135 - Telnet to 135 (NetBIOS) can cause a DoS.  Apply SP3.  (Q162567)
Telnet 19 - Telnet 19 (chargen) and telnet 53 (DNS) can cause DoS.  Apply the dns-fix.  (Q169461)
Telnet 53 - Sending a flood of characters to port 53 can cause a DoS.  apply SP3.  (Q162927)
Telnet Service - The default telnet service may allow unauthorized access.
Telnet.exe - buffer overflow problem (Windows 95/98); patch available (MS00-067)
telnet.exe - W2K - authentication vulnerability; patch 
Terminal Server Edition - apply SP4 for Terminal Server
Terminal Server Edition - port 3389 DoS; apply Flood-fix (MS99-028)
telnet server on W2K can cause a DoS; patch  (MS00-050; Q267843)
TestTrack bug tracking s/w has security problems (3/99, ntbugtraq)
Text I-ISAM in Jet; apply Jet database engine patch (MS99-030)
Thread Priority - The SetThreadPriority can hog resources.  Do not run cpuhog.
ThreatContext - GetThreadContext or SetThreadContext may cause DoS.  Fixed in SP1.  (Q142653)
Time Server
Time Wait - Time wait with TCP/IP can exceed 4 minutes.  Apply iis4-fix.
TMS/SMS
Token Rights - User rights "create a token object" should be blank.
Token Ring - Bad data in the Routing Information Field (RIF) causes DoS
Toshiba computer - NT mail fail to boot on toshibas.  Fixed in SP2.  (Q150815)
TRACERT - This diagnostic utility can determine the path.  Disallow incoming ICMP packets.
TransSoft Broker FTP server v3.5 vulnerability (11/99, ntbugtraq)
Troubleshooter ActiveX vul (MS03-042 and KB826232)
Trumpet Winsock
Truncate - A new file can overwrite another file with sensitive data.  Don't allow IIS_USER to create files
Truncated Files - letters A thru F can't be truncated on CDs.  Fixed in SP2  (Q159105)
Type 1 Instaler registry not restricted by default
UA control vulnerability, Office 2000; patch (MS00-034; Q262767)
UDB
UDP frame - may cause WINS to hang  (Q155701)
Unattended install vulnerability (MS99-036)
unattended setup - fails  (Q143473)
undelimited .htr request vulnerability; ISMPST patch (MS00-031; Q260838)
Unencrypted passwords - Go to HKLM\SYS\CCS\Services\RDR\Parameters.  Add EnabledPlainTextPassword DWORD = 0.
Unlock Dialog Box - can reveal clipbaord contents; apply ginafix hotfix (Q214802)
UNIX and long usernames - May cause DoS when using the SAMBA and long names.  Fixed in SP3.  (Q161830)
Unknown service - Examine all services being run.
Untrusted Scripted Paste in Internet Explorer 5.0 - load MSHTML update (MS99-012)
Uploader - This O"Reilly program can compromise a web server.  Delete uploader if it exists.
UPS - Loss of power may mean loss of data.  Use a UPS.
UPTOMP fails with SP5 (ntbugtraq 7/99)
URL with short filename; apply sfn-fix (Q179148)
URLS that are too long - If between 4 and 8K, may cause a DoS on IIS 3.0.  Install iis-fix and upgrade.
URLs with IIS 1.0 - Can download files outside root.  Upgrade IIS.
USB drivers need to be updated
User name not hidden - Go to HKLM\SW\Microsoft\Windows NT\Current Version\Winlogon.  
    Add DontDisplayLastUserName and value of 1.
User Rights - Examine all 27 user rights.  May be misconfigured.
user.dmp file - may contain passwords or proprietary data; created with drwtsn32.exe
Users can log on server - Only admin should have the right to log on locally.
Users can put files on a server - Create a drop box with only Write permissions.
Usrmgr.exe - Can be used to create local groups.  Delete usrmgr if it exists.
VBA buffer overrun vul (MS03-037 and KB822715)
VBA Shell in Jet; apply Jet database engine patch (MS99-030)
Viewcode.asp - can view files in Site Server 3.0; delete
Vintra mail server
VirusScan registry unrestricted  HKLM\SW\McAfee\Tasks
Virtual Directory naming vulnerability - apply patch; Q238606 and MS99-058
Virtual Machine file reading vulnerability; install latest VM (build 3193)
Virtual Machine Sandbox - Allows Java applet to take any action; apply patch (MS99-031)(Q240346)
Virtual Machine Verifier vulnerability; apply VM patch (Q244283; MS99-045)
virtualized UNC share vulnerability; install patch  (MS00-019; Q249599)
Viruses - run a good virus protection program.
VirusWall 3.23 helo overflow; needs a patch (11/99, ntbugtraq)
Visual Basic 4.0 - NT may hang when running 16-bit version.  Fixed in SP2.  (Q161657)
War FTPD
WebCam32
Webcom CGI Guestbook for Win32 web servers (NTBugtraq 4/99)
Web Proxy Auto Discovery (WPAD) spoofing vulnerability.  MS99-054, Q247333.
WebSite 1.1 - Has buffer overflow vulnerabilities.  Don't use the WebSite CGI programs /cgi-dos/args.cmd
WebSTONE - causes poor IIS performance  (Q163213)
WebSuite 2.1 server has buffer overflow problem and will crash (NTBbugtraq 5/99)
WebTrends software has bad permissions on passwords
WebTV security flaw
Whack.exe is a trojan horse for netbus; delete
Win32k.sys - Bad parameters causes DoS.  Fixed in SP2.  (Q160601, Q159076)
Window.External JScript Vulnerability - install 3.1b scripting engine (scr31en.exe) (MS98-011)
Windows 2000 must be production release (build 2195)
Windows Media Service Handshake Vul - install patch  (MS00-013 and Q253943)
Windows NT 4.0 Beta - users could read and delete access to shares.  don't use the beta.
Windows Media Player; latest is version 6.4.7.1128 (KB828026)
Windows media services handshake vulnerability; install patch
Windows RunOnce Key not restricted by default
Wingate vulnerabilities (NTbugtraq 4/99)
winhlp32.exe - buffer overrun in this help utility; patch (ms99-015)
winhlpadd.exe and add.bat exploits a buffer overrun in winhlp32.exe
Winfo information gathering tool
Winkill
Winlogon - Go to HKLM\SW\Microsoft\Windows NT\CurrentVersion\Winlogon.  Remove access for Server Operators.
Winlogon permission - Go to HKLM\SW\Microsoft\Windows NT\CurrentVersion\Winlogon.  No privileges to Everyone.
WinNuke - Causes DoS.  Apply SP3 and hotfixes.
Winpopup - Causes DoS when sending long usernames in a winpopup message.  Fixed in SP3.
Winreg - Go to HKLM\SYS\CCS\Services\LanmanServer\Parameters.  Add winreg
Winreg - Go to HKLM\SYS\CCS\Control\SecurePipeServers and add Winreg key.
WINS - Invalid UDP frames may causes WINS to crash.  Apply winsupd fix.  (Q155701)
WINS with 100 owners - This can cause database corruption.  Fixed in SP3.  (Q162778)
winsock call on SP6only works with admin; need a new afd.sys file (Q245678)
Winsock port - Loss of data may occur when multiple processes are running.  Fixed in SP2.  (Q142634)
winsock problem with Lotus notes;  add Service pack 6a (SP6a) (Q246009)
winsock recv - A MS exchange server thread may loop forever, causing DoS.  Apply the rpc-fix.
winspool.drv problem with SP6 needs admin privileges; using SP5 release of winspool is ok
Winstone 97 - May fail on NT 4.0.  Fixed in SP2.  (Q141375)
WinWhatWhere Investigator keystroke monitoring program (w3isetup.exe, w3iupd.exe)
wireless vulnerabilities (KB826942)
WM-NCCREATE - NT crashes while processing the wm_ccreate message.  Fixed in SP2.  (Q159085)
Word 97 Template - add patch to warn user when opening a macro template  (Q214652)
Word Macro vulnerability (MS03-050)
Word Options Registry - only admin and system should have access
Workstation add privilege - User rights "add workstations to domain" should be blank.
Workstation Service vulnerability (MS03-049, MS03-043)
WoW registry - restrict
WPAD spoofing vulnerability; apply IE 5.01  (MS99-054, Q247333)
Write Cache - The cache is not cleared and may have passwords.  Apply the ide fix.
ws_ftp.ini files - ws_ftp.ini files may contain passwords.  Ensure this file is locked from users.
WS FTP Server - DoS with cwd command with string longer than 876 characters
wscript.exe
wsock32.dll - set the attribute to read-only to prevent viruses infecting it
WWWROOT - Do not allow IIS_User read access to the wwwroot directory.
Y2K - problems.  Install the y2k2-fix.  (Q175093)
Y2K problems; with the fix, still adds 12 hours (3/99, ntbugtraq)
Yahoo Messenger; latest is 5.6.0.1346
Yahoo! Webcam ActiveX vul
Xircom PC Card - Causes a DoS.  Install the pcm-fix.  (Q180532)
Zak
zipped_files.exe - worm