none
windows server udp 80 443 web open port RRS feed

  • Question

  • hello.

    I have a domain.

    one of servers that join to domain need access to domain and other intranet servers,but just only need access 80 and 443 port to internet.

    which inbound or outbound rules does need in private,public,domain firewall?

    Thanks

    Saturday, July 1, 2017 7:26 AM

Answers

  • Are you referring to limiting outbound on the computer itself to HTTP/HTTPS and ports essential for Windows networking to function? 

    You also mention UDP 80/443 opposed to TCP in your question subject, which has be a little confused, but I think you mean TCP 80/443.

    Honestly, it is probably the easiest to block all traffic to the internet except 80/443 from your client network subnet at your firewall. Having said that, this won't apply if the machines leave your network. Are you primarily a laptop fleet or desktops?

    If you have laptops, I would use GPO to configure the public and private rules to disallow ALL traffic except for TCP80(HTTP), TCP443 (HTTPS) and UDP 53 (DNS) outbound. I would then leave the domain rule as is, and use your network firewall to restrict that traffic.


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, July 3, 2017 3:51 AM

All replies

  • Are you referring to limiting outbound on the computer itself to HTTP/HTTPS and ports essential for Windows networking to function? 

    You also mention UDP 80/443 opposed to TCP in your question subject, which has be a little confused, but I think you mean TCP 80/443.

    Honestly, it is probably the easiest to block all traffic to the internet except 80/443 from your client network subnet at your firewall. Having said that, this won't apply if the machines leave your network. Are you primarily a laptop fleet or desktops?

    If you have laptops, I would use GPO to configure the public and private rules to disallow ALL traffic except for TCP80(HTTP), TCP443 (HTTPS) and UDP 53 (DNS) outbound. I would then leave the domain rule as is, and use your network firewall to restrict that traffic.


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Monday, July 3, 2017 3:51 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, July 17, 2017 6:19 AM
    Moderator
  • Hello.

    I have a web server.

    i need to block all connections except 80 and 443.

    But this server need to contact to other server in my domain.

    Which best way to config my firewall in my inbound or outbound and in my private,public,domain zone?

    note: i need to remote to my web server.

    Thanks


    Tuesday, July 18, 2017 8:04 AM
  • Are you solely relying on Windows Firewall? Or do you have a network firewall in front of it? 

    Without knowing a lot about your infrastructure:

    I'd recommend a network firewall and inbound allow TCP 80 (for HTTP) and TCP 443 (for HTTPS)

    If you intend to use RDP to remote to your server open TCP3389, but restrict the allowed source IP addresses to your source management IP. You can also change the default port to something other than 3389 through the registry.

    Make sure all Windows firewall profiles are on. You will need to ensure TCP 80, 443 and 3389 (as above) are open on public. 

    Is your web server on the domain? Generally I would avoid this, but if it is, you can leave the domain profile as is.

    For outbound if you need web access (e.g. to run updates) - allow TCP 443, 80 and if not using DNS resolution through other means (internal DNS server with forwarding) allow UDP53 outbound also. Otherwise you could block everything outbound if it is not needed.



    If this helped you please click "Vote As Helpful", if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security)
    Twitter @georgathomas

    This forum post is my own opinion and does not reflect the opinion or view of my employer.

    Wednesday, July 19, 2017 5:23 AM