...

*Cube-Host– full cloud services!!

get a consultation

WhatsApp

Telegram

EN
cube-host-logo.svg
LOG IN

Windows VPS: How to configure the Windows Server firewall

Windows VPS: How to configure the Windows Server firewall

Check profiles and enable firewall

Windows Firewall has three profiles: Domain / Private / Public. On VPS, Public is usually active. Secure base — incoming: Block, outgoing: Allow.

GUI: “Windows Defender Firewall with Advanced Security” → root profile screen.

windows VPS

PowerShell:

  Get-NetFirewallProfile | Select Name,Enabled,DefaultInboundAction,DefaultOutboundAction
Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled True

Making RDP secure (3389/TCP)

RDP is necessary for administering Windows VPS, but it cannot be opened to “everyone.” The procedure is straightforward: temporarily enable the default rules, create your own narrow rule based on the IP source, then disable the “broad” rules.

GUI (new rule wizard):

1. Inbound Rules → New Rule…Port

windows VPS 1

2. TCP, Specific local ports: 3389

windows VPS 2

Allow the connection

windows VPS 3

After creating it, go to Properties → Scope and specify Remote IP addresses (your static IP/VPN subnet). This is key to security.

PowerShell:

  # When connecting for the first time: enable the standard group
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Strict rule only from your IP
New-NetFirewallRule -DisplayName "RDP inbound (admin IP only)" `
  -Direction Inbound -Protocol TCP -LocalPort 3389 -Action Allow `
  -RemoteAddress 203.0.113.50 -Profile Any

# After verification, disable “broad” RDP rules.
Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

We only open what is really necessary

IIS/HTTPS

  New-NetFirewallRule -DisplayName "HTTP (80)"  -Direction Inbound -Protocol TCP -LocalPort 80  -Action Allow
New-NetFirewallRule -DisplayName "HTTPS (443)" -Direction Inbound -Protocol TCP -LocalPort 443 -Action Allow

MS SQL (if used)

  New-NetFirewallRule -DisplayName "MSSQL (1433)" -Direction Inbound -Protocol TCP -LocalPort 1433 -Action Allow

(When accessing from restricted networks, set RemoteAddress for these rules as well.)

Enable logging (this is very helpful for debugging).

Record allowed and blocked connections in pfirewall.log.

GUI:

windows VPS 4

PowerShell:

  Set-NetFirewallProfile -Profile Domain,Private,Public `
  -LogFileName "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" `
  -LogMaxSizeKilobytes 32768 -LogAllowed True -LogBlocked True

Quick check from the outside

From the client PC, verify that the necessary ports are accessible:

  # RDP
Test-NetConnection vps.example.ru -Port 3389
# Веб
Test-NetConnection vps.example.ru -Port 80
Test-NetConnection vps.example.ru -Port 443
# SQL (if necessary)
Test-NetConnection vps.example.ru -Port 1433

TcpTestSucceeded: True — the rule works, the port is available. If False — check the rule profile, Scope (IP source), and external ACLs at the provider.

A short checklist of errors

  • Left RDP “open to everyone”: add RemoteAddress and disable the default broad rules.
  • Incorrect profile: the rule is set to Private, but the server is in Public.
  • No logs: enable logging — otherwise, “invisible” blocks are difficult to catch.
  • Forgot the external firewall/SG of the Windows VPS provider: check it in parallel.

Оглавление

More articles:

Load more