Microsoft BlueKeep Vulnerability Audit

Find All Devices Vulnerable to the RDS BlueKeep Vulnerability

Along with the Patch Tuesday of May also came a special patch for  CVE-2019-0708 on older operating systems which patch the BlueKeep vulnerability. Newer operating systems automatically get these updates as they are included in the regular Patch Tuesday updated. You can find all the details in our BlueKeep vulnerability blog post.

This audit checks whether older operating systems, which do not automatically update anymore, have the newly released patch installed or not. Additionally, it also checks whether the remote desktop service is running, which is required to exploit the vulnerability. The audit is color-coded so you can easily identify the computers that require immediate action.

BlueKeep Vulnerability audit

Microsoft BlueKeep Vulnerability Query

Select Distinct Top 1000000 Coalesce(tsysOS.Image,
  tsysAssetTypes.AssetTypeIcon10) As icon,
  tblAssets.AssetID,
  tblAssets.AssetName,
  tblAssets.Domain,
  tblState.Statename As State,
  Case tblAssets.AssetID
    When SubQuery1.AssetID Then 'Yes'
    Else 'No'
  End As [CVE-2019-0708 Patched],
  tblServiceState.State As [RDP Service Status],
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
    When tblServiceState.State Like 'Stopped' Then 'No'
    Else 'Yes'
  End As Vulnerable,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then ''
    Else Case
        When tsysOS.OSname Like '%XP%' Or
          tsysOS.OSname Like '%2003%' Then 'Install KB4500331'
        When tsysOS.OSname = 'Win 2008' Then 'Install KB4499149,KB4499180, KB4503273 or KB4503287'
        When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
          tsysOS.OSname = 'Win 2008 R2' Then 'Install KB4499164, KB4499175, KB4503292 or KB4503269'
      End
  End As [Install one of these updates],
  tsysOS.OSname As OS,
  tblAssets.SP,
  Case
    When tblComputersystem.Domainrole > 1 Then 'Server'
    Else 'Workstation'
  End As [Workstation/Server],
  tsysIPLocations.IPLocation,
  tblAssetCustom.Manufacturer,
  tblAssetCustom.Model,
  tblAssets.Lastseen,
  Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
  GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
  Case
    When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
      GetDate())) > 7 Then
      'Windows update information may not be up to date. We recommend rescanning this machine.'
    Else ''
  End As Comment,
  Case
    When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
    When tblServiceState.State Like 'Stopped' Then '#d4f4be'
    Else '#ffadad'
  End As backgroundcolor
From tblAssets
  Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
  Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
  Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
      From tblQuickFixEngineering
        Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
          = tblQuickFixEngineering.QFEID
      Where tblQuickFixEngineeringUni.HotFixID In ('KB4499149', 'KB4499180',
        'KB4499164', 'KB4499175', 'KB4500331','KB4503273','KB4503287','KB4503292','KB4503269')) As SubQuery1 On
    tblAssets.AssetID = SubQuery1.AssetID
  Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
  Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
    tblAssets.AssetID
  Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
    And tblAssets.IPNumeric <= tsysIPLocations.EndIP
  Inner Join tblState On tblState.State = tblAssetCustom.State
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        TsysLastscan.Lasttime As QuickFixLastScanned
      From TsysWaittime
        Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
        Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
      Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
    tblAssets.AssetID = QuickFixLastScanned.ID
  Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
        Max(tblErrors.Teller) As ErrorID
      From tblErrors
        Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
      Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
    ScanningError.ID
  Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
  Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
    tblErrors.ErrorType
  Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
  Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
  Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
    tblServices.ServiceuniqueID
  Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
      From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
      Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
  tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%2016%' And
  tsysOS.OSname Not Like '%win 10%' And tsysOS.OSname Not Like '%2012%' And
  tsysOS.OSname Not Like '%8.1%' And
  tsysOS.OSname Not Like '%2019%' And tblServicesUni.Name Like '%TermService%'
  And tsysAssetTypes.AssetTypename Like 'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
  tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

Download-Install-Lansweeper

1. Download & Install Lansweeper

Save-and-Run-the-Report

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit

Harness the Power of Reporting