RDP port is closed, why do I have failed logons in security log?

I've got a firewall in front of our cloud servers that blocks all attempts at RDP.  Yet, I have failed logon attempts in my security logs like:

An account failed to log on.

      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            mcxxxxx@xxxxxxxx.com
      Account Domain:            

Failure Information:
      Failure Reason:            Unknown user name or bad password.
      Status:                  0xc000006d
      Sub Status:            0xc0000064

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      XXXXXXXXX-PC
      Source Network Address:      xx.xxx.xx.xxx
      Source Port:            51745

Detailed Authentication Information:
      Logon Process:            NtLmSsp
      Authentication Package:      NTLM
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

How is that possible?... is there another avenue from a public IP?  How can I close this access?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Do you have the source IP. Are you sure it is coming from an external source and not internal?

ste5anSenior DeveloperCommented:
There are many different vectors where an login can be made. RDP is not the only one. So the question is: Why do you block RDP? The normal approach would be to DENY ALL as policy and only allow the ports (services) you need.
StarDusterIIAuthor Commented:
Yes, I x'd it out above.  It's definitely an external source.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

StarDusterIIAuthor Commented:
Ste5an, we block everything but a few ports.  Only 80, 443, 20-21, 25, 843, and 1935 are open.
StarDusterIIAuthor Commented:
Ste5an, I think the question back to you is, "What are the other vectors?"
ste5anSenior DeveloperCommented:
Exchange for example logs normally there. IIS may use it (FTP).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StarDusterIIAuthor Commented:
Don't run Exchange but messing up FTP creds put the failed logon there!   Never thought that it would log attempts at FTP just like system logons.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.