Virtual Machine (Classic) security problem: open ports non listed in enpoints

Roberto Romeo 21 Reputation points
2021-01-31T14:19:23.183+00:00

We have a VM (Classic) with these enpoints:

HTTP (80) TCP permit 0.0.0.0/0
HTTPS (443) TCP permit 0.0.0.0/0

In the event viewer-security log we are continuously receiving audit failure 4625 - attempts to logon with several unexistent users with logon process NtLmSsp).
We discovered that there are these ports open:
MSTFDS TCP 445
NETBIOS TCP 139
FTP TCP 21
RPC TCP 135
As soon as we blocked MSFTDS port with a deny endpoint 0.0.0.0/0 the continuous attempts to logon ended.
Is there something I'm missing? Why these ports are open despite are not listed in the endpoints?

Many thanks,
Roberto

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,243 questions
{count} votes

Accepted answer
  1. prmanhas-MSFT 17,891 Reputation points Microsoft Employee
    2021-02-02T10:03:03.543+00:00

    @Roberto Romeo Apologies for the delay in response and all the inconvenience caused because of the issue.

    Firstly I would suggest you to migrate your classic deployment to ARM. Reason being classic deployment will soon be expired and there are no new feature or capabilities which you can take advantage of as such in classic deployment. For migration and other information you can refer to this.

    Now coming to your question Classic VM in Azure do make use of some hidden open ports for internal communication management between cloud controller and VM. Also 445 can be used for SMB over internet and can also be used for event collection and that can be the reason the mentioned port are open.

    Hope it helps!!!

    Please "Accept as Answer" if it helped so it can help others in community looking for help on similar topics.


0 additional answers

Sort by: Most helpful