shawn857
asked on
Configuring built-in Windows Firewall for my VPS which hosts my webpage...
Hi, I rent a VPS and use IIS to host a very simple webpage. I was inundated by viruses/trojans a while ago as I guess I didn't have enough firewall protection. I've since cleaned that all up and began trying different firewall products - ZoneAlarm, Comodo, PrivateFirewall - but all of them also block any users from accessing my webpage. When I just enable Windows Firewall alone, then users can access my webpage fine, but I'm afraid I'm leaving myself wide open to hacks once again.
I asked my VPS tech support about this and they sent me this link on how to configure Windows Firewall... but it's way over my head. I'm brand new at using VPS and IIS to host my own website and it's all uncharted territory for me. Can someone give me some guidance on what settings I need to configure in order to protect from hacking, but still allow any users to call up my webpage?
Thanks
Shawn
I asked my VPS tech support about this and they sent me this link on how to configure Windows Firewall... but it's way over my head. I'm brand new at using VPS and IIS to host my own website and it's all uncharted territory for me. Can someone give me some guidance on what settings I need to configure in order to protect from hacking, but still allow any users to call up my webpage?
Thanks
Shawn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Open the start menu, type "windows firewall with advanced security" in the search box.
If you're using Windows 8 or Server 2012 just get yourself to the ugly Metro start screen and start typing "windows firewall with advanced security".
You should get the firewall snap-in. From there you can configure your inbound rules. You'll probably see a lot of built-in rules already configured. You can ignore those if you wish and just create the rules as outlined above.
If you're using Windows 8 or Server 2012 just get yourself to the ugly Metro start screen and start typing "windows firewall with advanced security".
You should get the firewall snap-in. From there you can configure your inbound rules. You'll probably see a lot of built-in rules already configured. You can ignore those if you wish and just create the rules as outlined above.
ASKER
Thanks Russ, I've read a little about this "snap-in" before, but never saw how/where to get it. How do I get it?
Thanks
Shawn
Thanks
Shawn
ASKER
Here's what I see Russ (see attached screenshot). Does this mean I already have the "snap-in"?
Thanks
Shawn
WindowsFirewall.JPG
Thanks
Shawn
WindowsFirewall.JPG
Yep, that's the one. You just need to add the inbound rules as specified in my earlier response.
ASKER
Russ, it looks like I might already have those inbound rules in there already "pre-defined" - port 80 for HTTP and port 443 for HTTPS. Please take a look at this screenshot.
Thanks
Shawn
FirewallRules.JPG
Thanks
Shawn
FirewallRules.JPG
That wouldn't surprise me. If that's the case you can add the block rules as I indicated above. You can also turn off most of the existing allow rules but be careful. If you turn off the RDP allow rules you might disconnect yourself from the VPS. If that happens you have to call the hosting company and sheepishly ask them to undo what you did to allow you access again.
Before you do any of this might I suggest that you try GRC Shields Up service to determine just what ports are open on your server. From the server just open a browser and go to www.grc.com and choose "Shields UP!" from the services menu. You'll want to scan all service ports.
Before you do any of this might I suggest that you try GRC Shields Up service to determine just what ports are open on your server. From the server just open a browser and go to www.grc.com and choose "Shields UP!" from the services menu. You'll want to scan all service ports.
ASKER
Thanks Russ. It appears that ONLY port 80 is open - all the rest are "stealthed" - so that's good, I guess. I ran a few of the tests on that site (useful site!). Here is a summary:
FILE SHARING TEST
-----------------
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
COMMON PORTS TEST
-----------------
Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.
80 - The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away.
ALL SERVICE PORTS
-----------------
Port 80 is open (as expected). All the rest of the ports are "stealthed"
Anything there I should be concerned about, do you think?
Thanks!
Shawn
FILE SHARING TEST
-----------------
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
COMMON PORTS TEST
-----------------
Solicited TCP Packets: RECEIVED (FAILED) — As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.
Unsolicited Packets: PASSED — No Internet packets of any sort were received from your system as a side-effect of our attempts to elicit some response from any of the ports listed above. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system remained wisely silent. (Except for the fact that not all of its ports are completely stealthed as shown below.)
Ping Echo: PASSED — Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests) from our server.
80 - The web is so insecure these days that new security "exploits" are being discovered almost daily. There are many known problems with Microsoft's Personal Web Server (PWS) and its Frontpage Extensions that many people run on their personal machines. So having port 80 "open" as it is here causes intruders to wonder how much information you might be willing to give away.
ALL SERVICE PORTS
-----------------
Port 80 is open (as expected). All the rest of the ports are "stealthed"
Anything there I should be concerned about, do you think?
Thanks!
Shawn
ASKER
I guess what you said "Windows Firewall, however, applies deny rules before allow rules", is not really the case cause I just blocked myself out when I applied the very last block rule for ports 444-65535. All was going good before that, as I was disconnecting from RDP and re-connecting after each of the first 2 block rules I entered... just to make sure everything was okay. On that final block rule, I have now blocked myself out. RDP won't connect, and I had a backup VNC connection that used to work too (on port 5900... there *is* a specific "Allow" rule for this in the list of rules in Windows Firewall), but now it doesn't work either :-(
Shawn
Shawn
ASKER
OK, fortunately I had *another* backup connection method (TeamViewer) installed that miraculously worked (...since it never did before). So I managed to sign in and I disabled the 3 blocking rules you recommended I create. Now RDP works again.
I googled what port RDP uses and it says 3389. VNC uses port 5900. So shouldn't my block rules *not* include these ports?
Thanks
Shawn
I googled what port RDP uses and it says 3389. VNC uses port 5900. So shouldn't my block rules *not* include these ports?
Thanks
Shawn
Like I said, you need to be careful when applying deny rules to a remote machine as it can block your access. You got away with it this time.
You should create additional rules that do allow necessary traffic for RDP sessions but you can restrict those rules to only allow from certain IP addresses which will increase your security profile. RDP does use port 3389, VNC is configurable but uses 5900 by default. Go ahead and create allow rules for those but specify a source IP address or addresses so it limits connectivity only to known, trusted IP addresses.
Of course if you are using a DHCP assigned address that can be a problem.
You should create additional rules that do allow necessary traffic for RDP sessions but you can restrict those rules to only allow from certain IP addresses which will increase your security profile. RDP does use port 3389, VNC is configurable but uses 5900 by default. Go ahead and create allow rules for those but specify a source IP address or addresses so it limits connectivity only to known, trusted IP addresses.
Of course if you are using a DHCP assigned address that can be a problem.
ASKER
Allow rules don't seem to successfully "override" the block rules in Windows Firewall, as you suggested. I'm leery to do this.
Also, it's quite possible I might have to sign in to my VPS from computers other than my normal home location, so i don't think I can make IP-specific rules for that.
Can I still create the Block Rules, but leave out ports 3389 and 5900? That would mean my UNblocked ports would be :
80
443
3389
5900
Is there a way I can further "secure" ports 80 and 443 - since I know I *ONLY* want HTTP/HTTPS requests for these ports, and nothing else?
Thanks
Shawn
Also, it's quite possible I might have to sign in to my VPS from computers other than my normal home location, so i don't think I can make IP-specific rules for that.
Can I still create the Block Rules, but leave out ports 3389 and 5900? That would mean my UNblocked ports would be :
80
443
3389
5900
Is there a way I can further "secure" ports 80 and 443 - since I know I *ONLY* want HTTP/HTTPS requests for these ports, and nothing else?
Thanks
Shawn
That is correct. Block rules take priority over allow rules in Windows Firewall. That's why you need to be very careful when creating block rules that you don't block yourself out.
It appears as though your reasoning is sound. You can leave those 4 ports open. Ports 80 and 443 shouldn't accept protocols other than HTTP/HTTPS by default so you should be fine there. The only real way to increase your security and leave those ports open is with a WAF as I said before and that's not likely an option in a VPS environment.
You've probably done all you can once you've got the rules in place. As I said above do yourself a favor and go to www.grc.com and check your ports with Shields Up once you're done configuring.
It appears as though your reasoning is sound. You can leave those 4 ports open. Ports 80 and 443 shouldn't accept protocols other than HTTP/HTTPS by default so you should be fine there. The only real way to increase your security and leave those ports open is with a WAF as I said before and that's not likely an option in a VPS environment.
You've probably done all you can once you've got the rules in place. As I said above do yourself a favor and go to www.grc.com and check your ports with Shields Up once you're done configuring.
ASKER
Russ, my VPS has been bug and trojan-free for the last few days since implementing the Advanced security in Windows Firewall... I haven't even enforced those various block rules yet - it doesn't appear that I need them (not yet anyways). But if I get another attack, that's what I'll do. For now though, things are running clean.... thank you for your help.
Cheers
Shawn
Cheers
Shawn
ASKER
Thanks
Shawn