*Cube-Host– full cloud services!!

get a consultation
WhatsApp Telegram
EN

Windows VPS: How to configure the Windows Server firewall

Windows VPS: How to configure the Windows Server firewall

Windows VPS: How to Configure the Windows Server Firewall (Best Practices)

Windows Defender Firewall with Advanced Security is your first real security layer on a Windows Server. A correct firewall policy reduces attacks, prevents accidental exposure, and makes troubleshooting easier when you know exactly what is allowed.

This guide is written for a public-facing server: a Windows VPS on VPS hosting, where “open everything” is never a safe default.

Understand firewall profiles (Domain / Private / Public)

Windows Firewall has three profiles. On most VPS deployments, the active profile is Public. A secure baseline is:

  • Inbound: Block (default)
  • Outbound: Allow (default)
# View current profile settings
Get-NetFirewallProfile | Select Name, Enabled, DefaultInboundAction, DefaultOutboundAction

# Enable firewall for all profiles (recommended)
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True
Windows Firewall with Advanced Security: profile overview

Rule #1: secure RDP (3389/TCP) — don’t expose it to everyone

RDP is necessary for administration, but it’s also one of the most scanned ports on the internet. The safe approach:

  • Keep inbound blocked by default.
  • Create an explicit rule for RDP only from your IP (or trusted office/VPN IP ranges).
  • If possible, use RD Gateway over 443 for external access (RDS setups).

Important: Always keep a provider console / emergency access option ready before tightening RDP rules to avoid locking yourself out.

Windows Firewall: New Inbound Rule Wizard (Port rule)

PowerShell example: allow RDP only from your IP

# Replace x.x.x.x with your public IP address
New-NetFirewallRule -DisplayName "RDP (3389) - My IP only" `
  -Direction Inbound -Protocol TCP -LocalPort 3389 `
  -Action Allow -RemoteAddress x.x.x.x

Allow only what you need (examples)

Create explicit rules for services you really use. Typical examples on a Windows VPS:

  • HTTP/HTTPS: 80/443 for web hosting (IIS).
  • SQL Server: custom TCP port (often 1433) — ideally restricted by IP.
  • WinRM: 5985/5986 only if you use remote automation (restrict tightly).
# Web traffic
New-NetFirewallRule -DisplayName "HTTP (80)"  -Direction Inbound -Protocol TCP -LocalPort 80  -Action Allow
New-NetFirewallRule -DisplayName "HTTPS (443)" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

# Example: SQL Server on 1433 restricted to a management subnet
New-NetFirewallRule -DisplayName "SQL Server (TCP 1433) - Office" `
  -Direction Inbound -Protocol TCP -LocalPort 1433 `
  -Action Allow -RemoteAddress 203.0.113.0/24

Port rule vs Program rule: which one is safer?

When possible, prefer a Program rule for server applications because it ties the permission to a specific executable. Port rules are simpler and common for servers, but they can unintentionally allow unexpected apps listening on the same port.

For custom apps and automation, use Scope (RemoteAddress) to limit who can reach the service.

Enable firewall logging (makes troubleshooting much easier)

Logging shows what is being blocked and what is being allowed. This is extremely useful when users say “it doesn’t connect”.

Set-NetFirewallProfile -Profile Domain,Private,Public `
  -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" `
  -LogMaxSizeKilobytes 32768 `
  -LogAllowed True `
  -LogBlocked True

Quick diagnostics checklist (when something doesn’t connect)

  • Check provider firewall/security group: is the port open there?
  • Check Windows Firewall rule profile: is it applied to the active profile (Public/Private/Domain)?
  • Check Scope: is RemoteAddress too strict?
  • Test from a client: TCP connectivity and routing.
  • Review pfirewall.log for blocked connections.
# From a client/jump host
Test-NetConnection <server-ip-or-hostname> -Port 443
Test-NetConnection <server-ip-or-hostname> -Port 3389

netsh advfirewall (legacy-friendly alternative)

PowerShell (NetSecurity module) is recommended on modern Windows Server. But in some legacy scripts you may still see netsh advfirewall.

# Example: enable built-in Remote Desktop rule group
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Conclusion

A secure Windows Server firewall strategy is simple and effective: block inbound by default, allow only required services, restrict management ports by IP, and enable logging for visibility.

For production workloads, deploy on a reliable Windows VPS with predictable networking on VPS hosting — and keep your firewall rules minimal, documented, and easy to audit.

Prev

More articles: