The following forum(s) are migrating to a new home on Microsoft Q&A (Preview): Azure Virtual Machines!

Ask new questions on Microsoft Q&A (Preview).
Interact with existing posts until December 13, 2019, after which content will be closed to all new and existing posts.

Learn More

 none
Classic Portal VM Endpoint Security RRS feed

  • Question

  • A client has a number of VMs that were created in the Classic portal sometime ago and recently they've been getting "Intrusion" alerts from their Symantec security product. Two servers in particular were raising the alerts on port 80 which is odd as neither of the VMs had Endpoints setup for HTTP (port 80).

    We ran external port scans on the public IPs of the VMs and port 80 was shown as closed so we couldn't understand where the port 80 traffic was coming from.

    In order to troubleshoot the problem we added an HTTP Endpoint to both VMs and then created an ACL to Deny everything (0.0.0.0/0) and the alerts have now stopped!

    Can anyone clarify why traffic on port 80 was able to reach the VMs even though there was no Endpoint enabled?

    Cheers for now

    Russell

    Thursday, July 6, 2017 9:50 AM

Answers

  • If you block port 80 with a Symantec™ Endpoint Protection firewall rule on the computer used to access the Azure VM, the RDP session for the Azure VM immediately disconnects and you cannot reconnect unless your open port 80 again.

    Try to update Symantec™ Endpoint Protection manually and check.

    -------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    Thursday, July 6, 2017 5:29 PM

All replies

  • If you block port 80 with a Symantec™ Endpoint Protection firewall rule on the computer used to access the Azure VM, the RDP session for the Azure VM immediately disconnects and you cannot reconnect unless your open port 80 again.

    Try to update Symantec™ Endpoint Protection manually and check.

    -------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    Thursday, July 6, 2017 5:29 PM
  • Thanks for the confirmation, presumably it's the same for VMs created in the Classic and ARM portals?

    Are there any other ports "open" by default to the VMs?

    Cheers for now

    Russell

    Thursday, July 6, 2017 5:44 PM
  • How to set up endpoints on a classic Windows virtual machine in Azure

    By default, the VMs listen on port 80, even if they don't have an endpoint open on the PublicIP. Yeah, if you want to disable scans, they you can create an NSG rule to deny all traffic, or certain IPs with a destination port of 80

    So, create a rule: Source IP "*" Destination IP "VM IP/Subnet/or *" Destination Port 80 Protocol TCP, Direction IN, DENY

    If you were scanning on 80 port, socket may be or not opening and listening. As long the VM only has 3389 open for the public IP, they should not be able to connect over HTTP. In any case, you can create a NSG, and a windows firewall rule as well at the GuestOS :)

    You can do netstant - ano to list all ports open and listening from CMD

    -------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.


    Thursday, July 6, 2017 5:53 PM