Configuring built-in Windows Firewall for my VPS which hosts my webpage...

Hi, I rent a VPS and use IIS to host a very simple webpage. I was inundated by viruses/trojans a while ago as I guess I didn't have enough firewall protection. I've since cleaned that all up and began trying different firewall products - ZoneAlarm, Comodo, PrivateFirewall - but all of them also block any users from accessing my webpage. When I just enable Windows Firewall alone, then users can access my webpage fine, but I'm afraid I'm leaving myself wide open to hacks once again.
   I asked my VPS tech support about this and they sent me this link on how to configure Windows Firewall... but it's way over my head. I'm brand new at using VPS and IIS to host my own website and it's all uncharted territory for me. Can someone give me some guidance on what settings I need to configure in order to protect from hacking, but still allow any users to call up my webpage?

Thanks
    Shawn
shawn857Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterSenior Software DeveloperCommented:
Windows firewall can handle this just fine. You need 2 inbound rules. The first will allow traffic on port 80 for HTTP and port 443 for HTTPS traffic. Set it for any local and any remote addresses, protocol should be TCP.

The second rule should block all other traffic. Here's where it gets a little tricky. Most firewalls adopt a top-down rule order meaning the first rule from the top down that matches the criteria is the one that takes priority. Windows Firewall, however, applies deny rules before allow rules so your 2nd rule has to be broken into 3 parts. All 3 parts will be set to block. The first rule is for ports 0-79, the second for ports 81-442, and the third for ports 444-65535. It's a bit messy but that will explicitly deny all traffic outside those ports.

It is still possible to get a virus through ports 80 or 443 though. There's no way around that without good antivirus software and a Web Application Firewall, the latter of which probably won't be an option in your VPS environment.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
shawn857Author Commented:
Thanks Russ. Where/how do I set these rules? I've never dealt with configuring Windows Firewall before...

Thanks
    Shawn
Russ SuterSenior Software DeveloperCommented:
Open the start menu, type "windows firewall with advanced security" in the search box.

If you're using Windows 8 or Server 2012 just get yourself to the ugly Metro start screen and start typing "windows firewall with advanced security".

You should get the firewall snap-in. From there you can configure your inbound rules. You'll probably see a lot of built-in rules already configured. You can ignore those if you wish and just create the rules as outlined above.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

shawn857Author Commented:
Thanks Russ, I've read a little about this "snap-in" before, but never saw how/where to get it. How do I get it?

Thanks
   Shawn
shawn857Author Commented:
Here's what I see Russ (see attached screenshot). Does this mean I already have the "snap-in"?

Thanks
   Shawn
WindowsFirewall.JPG
Russ SuterSenior Software DeveloperCommented:
Yep, that's the one. You just need to add the inbound rules as specified in my earlier response.
shawn857Author Commented:
Russ, it looks like I might already have those inbound rules in there already "pre-defined" - port 80 for HTTP and port 443 for HTTPS. Please take a look at this screenshot.

Thanks
   Shawn
FirewallRules.JPG
Russ SuterSenior Software DeveloperCommented:
That wouldn't surprise me. If that's the case you can add the block rules as I indicated above. You can also turn off most of the existing allow rules but be careful. If you turn off the RDP allow rules you might disconnect yourself from the VPS. If that happens you have to call the hosting company and sheepishly ask them to undo what you did to allow you access again.

Before you do any of this might I suggest that you try GRC Shields Up service to determine just what ports are open on your server. From the server just open a browser and go to www.grc.com and choose "Shields UP!" from the services menu. You'll want to scan all service ports.
shawn857Author Commented:
Thanks Russ. It appears that ONLY port 80 is open - all the rest are "stealthed" - so that's good, I guess. I ran a few of the tests on that site (useful site!). Here is a summary:


FILE SHARING TEST
-----------------

      Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
      Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.



COMMON PORTS TEST
-----------------

Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.


Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)


Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.


80 - The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away.


ALL SERVICE PORTS
-----------------

Port 80 is open (as expected). All the rest of the ports are "stealthed"


Anything there I should be concerned about, do you think?

Thanks!
    Shawn
shawn857Author Commented:
I guess what you said "Windows Firewall, however, applies deny rules before allow rules", is not really the case cause I just blocked myself out when I applied the very last block rule for ports 444-65535. All was going good before that, as I was disconnecting from RDP and re-connecting after each of the first 2 block rules I entered... just to make sure everything was okay. On that final block rule, I have now blocked myself out. RDP won't connect, and I had a backup VNC connection that used to work too (on port 5900... there *is* a specific "Allow" rule for this in the list of rules in Windows Firewall), but now it doesn't work either  :-(

Shawn
shawn857Author Commented:
OK, fortunately I had *another* backup connection method (TeamViewer) installed that miraculously worked (...since it never did before). So I managed to sign in and I disabled the 3 blocking rules you recommended I create. Now RDP works again.
   I googled what port RDP uses and it says 3389. VNC uses port 5900. So shouldn't my block rules *not* include these ports?

Thanks
   Shawn
Russ SuterSenior Software DeveloperCommented:
Like I said, you need to be careful when applying deny rules to a remote machine as it can block your access. You got away with it this time.

You should create additional rules that do allow necessary traffic for RDP sessions but you can restrict those rules to only allow from certain IP addresses which will increase your security profile. RDP does use port 3389, VNC is configurable but uses 5900 by default. Go ahead and create allow rules for those but specify a source IP address or addresses so it limits connectivity only to known, trusted IP addresses.

Of course if you are using a DHCP assigned address that can be a problem.
shawn857Author Commented:
Allow rules don't seem to successfully "override" the block rules in Windows Firewall, as you suggested. I'm leery to do this.

Also, it's quite possible I might have to sign in to my VPS from computers other than my normal home location, so i don't think I can make IP-specific rules for that.

Can I still create the Block Rules, but leave out ports 3389 and 5900? That would mean my UNblocked ports would be :

80
443
3389
5900

Is there a way I can further "secure" ports 80 and 443 - since I know I *ONLY* want HTTP/HTTPS requests for these ports, and nothing else?

Thanks
    Shawn
Russ SuterSenior Software DeveloperCommented:
That is correct. Block rules take priority over allow rules in Windows Firewall. That's why you need to be very careful when creating block rules that you don't block yourself out.

It appears as though your reasoning is sound. You can leave those 4 ports open. Ports 80 and 443 shouldn't accept protocols other than HTTP/HTTPS by default so you should be fine there. The only real way to increase your security and leave those ports open is with a WAF as I said before and that's not likely an option in a VPS environment.

You've probably done all you can once you've got the rules in place. As I said above do yourself a favor and go to www.grc.com and check your ports with Shields Up once you're done configuring.
shawn857Author Commented:
Russ, my VPS has been bug and trojan-free for the last few days since implementing the Advanced security in Windows Firewall... I haven't even enforced those various block rules yet - it doesn't appear that I need them (not yet anyways). But if I get another attack, that's what I'll do. For now though, things are running clean.... thank you for your help.

Cheers
   Shawn
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.