0

I am using a Windows Server 2022 VPS as a web server to host a website only. When the VPS was first setup for me, I saw the following ports for Inbound in Windows Firewall were already enabled (the port is on the very right side with TCP or UDP in front of it):

  • Cast to Device streaming server (HTTP-Streaming-In) TCP 10246
  • DIAL protocol server (HTTP-In) TCP 10247
  • Cast to Device functionality (qWave-TCP-In) TCP 2177
  • Cast to Device functionality (qWave-UDP-In) UDP 2177
  • Cast to Device streaming server (RTSP-Streaming-In) TCP 23554, 23555, 23556
  • Cast to Device UPnP Events (TCP-In) TCP 2869
  • Microsoft Media Foundation Network Source IN UDP [UDP 5004-5009] 5000-5020
  • mDNS (UDP-In) UDP 5353
  • Microsoft Edge (mNDS-In) UDP 5353
  • Core Networking - Dynamic Host Configuration for IPv6 (DHCPV6-In) UDP 546
  • Microsoft Media Foundation Network Source IN [TCP 554] 554, 8554-8558
  • Core Networking - Dynamic Host Configuration (DHCP-In) UDP 68
  • Delivery Optimization (TCP-In) TCP 7680
  • AllJoyn Router (TCP-In) TCP 9995

I am only using my Windows 2022 server to host a website (my website runs on ASP.net MVC, and uses IIS of course). I did not setup any of these Windows Firewall Inbound rules up. At the same time, I do want to secure my VPS, but of course, I also want my Windows 2022 VPS to function properly. Can I safely turn off the above Windows Firewall Inbound rules, to harden my VPS? Or will I run into problems if I disable some of the Windows Firewall Inbound rules above? Which rules/ports above need to be enabled and are not safe to disable?

vidarlo
  • 6,654
  • 2
  • 18
  • 31
Programmer Joe
  • 3
  • 2

1 Answers1

1

A pure web server should only allows incoming HTTP and HTTPS connections, so the only opened ports should be TCP 80 and 443 (plus UDP 443 if using QUIC). If using FTP and/or FTPS to upload files, you should open at least TCP ports 20,21,989 and 990 (plus other ranges required for passive mode server).

From the list you posted above, only UDP 68 and 546 (DHCP) appears to be possibly useful, if and only if your server's IP is obtained via DHCP (unlikely). That said, this is a generic advice only: your specific server/application can require any other ports, and it is not possible to predict what you will install/run on your server.

Moreover, be aware that securing a public server is much more than simply closing the unneeded ports. This is a basic first step, but please don't relying on firewall alone to be "secure".

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • Hi, thanks for your answer! I closed some of the inbound ports in Windows Firewall, while using your answer as a general guide, and so far, it doesn't seem to have impacted the website from my testing. Also, do you know of a good basic guide on the internet to securing a Windows VPS for website use? Just wondering what other steps I need to take to help ensure my VPS is "secure." Thank you. – Programmer Joe Dec 30 '22 at 15:39
  • I think you are using IIS, so I would start from [here](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj635855(v=ws.11)) – shodanshok Dec 30 '22 at 17:04