" Are the servers patched and physically secure? Or are they mismanaged? I'm curious how they do it in 8 minutes if the box is fully patched and in a secure location. Social engineering doesn't count as that can apply to all systems."
I have never seen a corporate environment where this is true of every system, especially since much software just won't run with certain patches installed. All it takes is one member of a domain to fall to give a toehold which can be used to extend access and gain priviliges. Because of how Windows domains and AD work, the attackers job is made easier.
In many cases "patches" have little to do with it - an inadvertent unprotected fileshare, a default login, an exploitable non-MS application, and the chips start to fall.
Here's some hints... Windows servers cache the credentials of any domain account that logs in... With local system, you can dump it from the registry. Guess what user context much Windows stuff runs as? SQL server for example? Ever hear of xp_cmdshell? Stored procedure that lets you run DOS commands through SQL commands... Also, MSDE is often installed inadvertently with things like Visual Studio or many other apps. It comes with default easily guessable SA logins. Get onto a box, load up something like pwdump3, dump the SAM from the registry, crack, take advantage of trust relationships, access other resources, eventually increase priviliges to domain admin.
I assume your report tells them that weak passwords leave your systems vulnerable. And that includes all systems not just windows.