cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dnkleaf
Engaged Sweeper
We have created a lansweeper report regarding our patch status for the deja blue vulnerability.

However we need to include a section that shows us the devices RDP Service status as our report currently does not have this feature and will feel this is information we need to report on.

Does anybody have good experience and be able to offer any suggestion?


We used the following syntax to make the report

Select Distinct Top 1000000 Coalesce(tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblState.Statename As State,
Case tblAssets.AssetID
When SubQuery1.AssetID Then 'Up to date'
Else 'Out of date'
End As [Patch status],
Case
When tblComputersystem.Domainrole > 1 Then 'Server'
Else 'Workstation'
End As [Workstation/Server],
tblAssets.Username,
tblAssets.Userdomain,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.SP,
Case
When tsysOS.OScode Like '10.0.10240%' Then '1507'
When tsysOS.OScode Like '10.0.10586%' Then '1511'
When tsysOS.OScode Like '10.0.14393%' Then '1607'
When tsysOS.OScode Like '10.0.15063%' Then '1703'
When tsysOS.OScode Like '10.0.16299%' Then '1709'
When tsysOS.OScode Like '10.0.17134%' Then '1803'
When tsysOS.OScode Like '10.0.17763%' Then '1809'
When tsysOS.OScode Like '10.0.18362%' Then '1903'
End As Version,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then ''
Else Case
When tsysOS.OSname = 'Win 2008' Then 'KB4512491 or KB4512476'
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname = 'Win 2008 R2' Then 'KB4512486 or KB4512506'
When tsysOS.OSname = 'Win 2012' Or
tsysOS.OSname = 'Win 8' Then 'KB4512482 or KB4512518'
When tsysOS.OSname = 'Win 8.1' Or
tsysOS.OSname = 'Win 2012 R2' Then 'KB4512489 or KB4512488'
When tsysOS.OScode Like '10.0.10240' Then 'KB4512497'
When tsysOS.OScode Like '10.0.10586' Then 'KB4093109'
When tsysOS.OScode Like '10.0.14393' Or
tsysOS.OSname = 'Win 2016' Then 'KB4512517'
When tsysOS.OScode Like '10.0.15063' Then 'KB4512507'
When tsysOS.OScode Like '10.0.16299' Then 'KB4512516'
When tsysOS.OScode Like '10.0.17134' Then 'KB4512501'
When tsysOS.OScode Like '10.0.17763' Or
tsysOS.OSname = 'Win 2019' Then 'KB4511553'
When tsysOS.OScode Like '10.0.18362' Then 'KB4512508'
End
End As [Install one of these updates],
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) > 3 Then
'Windows update information may not be up to date. We recommend rescanning this machine.'
Else ''
End As Comment,
Case tblAssets.AssetID
When SubQuery1.AssetID Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4512491', 'KB4512476',
'KB4512486', 'KB4512506', 'KB4512482', 'KB4512518', 'KB4512489',
'KB4512488', 'KB4512497', 'KB4093109', 'KB4512517', 'KB4512507',
'KB4512516', 'KB4512501', 'KB4511553', 'KB4512508')) As SubQuery1 On
tblAssets.AssetID = SubQuery1.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
tblAssets.AssetID = QuickFixLastScanned.ID
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Inner Join tblAssets On tblAssets.AssetID = tblErrors.AssetID
Group By tblAssets.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Where tblAssets.AssetID Not In (Select Top 1000000 tblAssets.AssetID
From tblAssets Inner Join tsysOS On tsysOS.OScode = tblAssets.OScode
Where tsysOS.OSname Like 'Win 7%' And tblAssets.SP = 0) And
tsysOS.OSname != 'Win 2000 S' And tsysOS.OSname Not Like '%XP%' And
tsysOS.OSname Not Like '%2003%' And tsysAssetTypes.AssetTypename Like
'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName




Thanks for any information supplied

Best regards

George
2 REPLIES 2
Hendrik_VE
Champion Sweeper III
This is the report we use for DejaBlue. For this report to work you need to scan the following two registry values:
SYSTEM\CurrentControlSet\Control\Terminal Server --> fDenyTSConnections
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp --> UserAuthentication

Select Distinct Top 1000000 Coalesce(tsysOS.Image,
tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
Case tblAssets.AssetID
When SubQuery1.AssetID Then 'Yes'
Else 'No'
End As [DejaBlue Patched],
tblServiceState.State As [RDP Service Status],
Case
When RDPConnectionState.Value = '0' Then 'RDP Enabled'
When RDPConnectionState.Value = '1' Then 'RDP Disabled'
Else 'No data'
End As [RDP Connection State],
Case
When NLAState.Value = '1' Then 'On'
When NLAState.Value = '0' Then 'Off'
Else 'No data'
End As [NLA (On/Off)],
Case
When tblAssets.AssetID = SubQuery1.AssetID Then 'No'
When tblServiceState.State Like 'Stopped' Then 'No'
When RDPConnectionState.Value = '1' Then 'No'
When NLAState.Value = '1' Then 'No'
Else 'Yes'
End As Vulnerable,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then ''
Else Case
When tsysOS.OSname = 'Win 7' Or tsysOS.OSname = 'Win 7 RC' Or
tsysOS.OSname = 'Win 2008 R2' Then 'KB4512506 or KB4512486'
When tsysOS.OSname = 'Win 2012' Then 'KB4512518 or KB4512482'
When tsysOS.OSname = 'Win 8.1' Or
tsysOS.OSname = 'Win 2012 R2' Then 'KB4512488 or KB4512489'
When tsysOS.OScode Like '10.0.10240' Then 'KB4512497'
When tsysOS.OScode Like '10.0.14393' Or
tsysOS.OSname = 'Win 2016' Then 'KB4512517'
When tsysOS.OScode Like '10.0.15063' Then 'KB4512507'
When tsysOS.OScode Like '10.0.16299' Then 'KB4512516'
When tsysOS.OScode Like '10.0.17134' Then 'KB4512501'
When tsysOS.OScode Like '10.0.17763' Or
tsysOS.OSname = 'Win 2019' Then 'KB4511553'
When tsysOS.OScode Like '10.0.18362' Then 'KB4512508'
End
End As [Install one of these updates],
tsysOS.OSname As OS,
tblAssets.SP,
Case
When tsysOS.OScode Like '10.0.10240%' Then '1507'
When tsysOS.OScode Like '10.0.10586%' Then '1511'
When tsysOS.OScode Like '10.0.14393%' Then '1607'
When tsysOS.OScode Like '10.0.15063%' Then '1703'
When tsysOS.OScode Like '10.0.16299%' Then '1709'
When tsysOS.OScode Like '10.0.17134%' Then '1803'
When tsysOS.OScode Like '10.0.17763%' Then '1809'
When tsysOS.OScode Like '10.0.18362%' Then '1903'
End As Version,
Case
When tblComputersystem.Domainrole > 1 Then 'Server'
Else 'Workstation'
End As [Workstation/Server],
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblAssets.Lastseen,
Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) + ' days ago' As WindowsUpdateInfoLastScanned,
Case
When Convert(nvarchar,DateDiff(day, QuickFixLastScanned.QuickFixLastScanned,
GetDate())) > 7 Then
'Windows update information may not be up to date. We recommend rescanning this machine.'
Else ''
End As Comment,
Case
When tblAssets.AssetID = SubQuery1.AssetID Then '#d4f4be'
When tblServiceState.State Like 'Stopped' Then '#ffff00'
When RDPConnectionState.Value = '1' Then '#ffff00'
When NLAState.Value = '1' Then '#ffff00'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Top 1000000 tblQuickFixEngineering.AssetID
From tblQuickFixEngineering
Inner Join tblQuickFixEngineeringUni On tblQuickFixEngineeringUni.QFEID
= tblQuickFixEngineering.QFEID
Where tblQuickFixEngineeringUni.HotFixID In ('KB4512497', 'KB4512517',
'KB4512507', 'KB4512516', 'KB4512501', 'KB4511553', 'KB4512508',
'KB4512506', 'KB4512486', 'KB4512488', 'KB4512489', 'KB4512518',
'KB4512482')) As SubQuery1 On tblAssets.AssetID = SubQuery1.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tblOperatingsystem On tblOperatingsystem.AssetID =
tblAssets.AssetID
Left Join tsysIPLocations On tblAssets.IPNumeric >= tsysIPLocations.StartIP
And tblAssets.IPNumeric <= tsysIPLocations.EndIP
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join (Select Distinct Top 1000000 tblAssets.AssetID As ID,
TsysLastscan.Lasttime As QuickFixLastScanned
From TsysWaittime
Inner Join TsysLastscan On TsysWaittime.CFGCode = TsysLastscan.CFGcode
Inner Join tblAssets On tblAssets.AssetID = TsysLastscan.AssetID
Where TsysWaittime.CFGname = 'QUICKFIX') As QuickFixLastScanned On
tblAssets.AssetID = QuickFixLastScanned.ID
Inner Join tblComputersystem On tblAssets.AssetID = tblComputersystem.AssetID
Inner Join tblServices On tblAssets.AssetID = tblServices.AssetID
Inner Join tblServicesUni On tblServicesUni.ServiceuniqueID =
tblServices.ServiceuniqueID
Inner Join tblServiceState On tblServiceState.StateID = tblServices.StateID
Left Join (Select tblRegistry.Value,
tblRegistry.AssetID
From tblRegistry
Where tblRegistry.Valuename = 'UserAuthentication') NLAState On
tblAssets.AssetID = NLAState.AssetID
Left Join (Select tblRegistry.Value,
tblRegistry.AssetID
From tblRegistry
Where tblRegistry.Valuename = 'fDenyTSConnections') RDPConnectionState On
tblAssets.AssetID = RDPConnectionState.AssetID
Where tsysOS.OSname Not Like '%2000%' And tsysOS.OSname Not Like '%Win 8%' And
tsysOS.OSname Not Like '%Win 2008' And
tblServicesUni.Name Like '%TermService%' And tsysAssetTypes.AssetTypename Like
'Windows%' And tblAssetCustom.State = 1
Order By tblAssets.Domain,
tblAssets.AssetName
Esben_D
Lansweeper Employee
Lansweeper Employee
Take a look at the original bluekeep report, it has a column for RDP service status

https://www.lansweeper.com/report/microsoft-bluekeep-vulnerability-audit/

New to Lansweeper?

Try Lansweeper For Free

Experience Lansweeper with your own data.
Sign up now for a 14-day free trial.

Try Now