hypothetically, could a weak password (local OS windows admin account) on a web serverhosting public facing sites every be exploited by an external users, i.e. someone just browsing one of the web apps hosted on that windows/IIS server? i cant see how a local OS password on a web server could ever be exploited externally, but any insight would be interesting. we are doing some risk assessment work on the omportance of password security for all major server roles, and one of the risk factoes is threat agents, i.e. who could exploit such vulnerabilities.