• Pricing
  • Performance
  • About Us
PricingPerformanceAbout Us
Sign InSign Up
  • Pricing
  • Performance
  • About Us
PricingPerformanceAbout Us
Sign InSign Up
Sign InGet Started

High-Performance Cloud Infrastructure

Empowering businesses with enterprise-grade cloud solutions at competitive prices. Built for reliability and simplicity. Designed for growth.

SOC 2 Compliant
ISO 27001
99.9% Uptime

Stay Updated

1000+

Customers

15,000+

VMs Deployed

24/7

Human Support

Products

Build

  • Raff VM
  • Raff Windows VM
  • Raff AppsSoon
  • Kubernetes

Templates

  • Linux VM
  • Forex VM
  • n8n VM

Store

  • Raff S3
  • Raff DatabasesSoon

Support

  • Documentation
  • API Reference
  • CLI
  • Terraform Provider
  • Contact
  • FAQ
  • Status

Company

  • About
  • Pricing
  • Blog
  • Release Notes
  • Performance
  • Status

Account

  • Sign In
  • Sign Up
  • Reset Password

Legal

  • Terms of Service
  • Privacy Policy
  • Service Level Agreement
  • Acceptable Use Policy

© 2026 Raff Technologies. All rights reserved.

System Status
Security & hardening
Security & hardeningintermediate8 min read·Updated May 24, 2026

Configure Windows Firewall on a Windows VPS

Check Windows Firewall profiles, inspect RDP rules, create a safe test inbound rule, and clean it up on a Raff Windows Server VPS.

Aybars Altınyay
Aybars Altınyay
Platform Engineer & Technical Writer
Genuine, fully-licensed Windows
Spin up a Windows Server: full admin, RDP-ready
Genuine Windows Server 2019, 2022, or 2025 with full administrator access. We handle the Microsoft licensing, billed monthly with nothing to buy upfront.
Deploy Windows NowLearn MoreTalk to Windows Engineer
PowerShell output showing Windows Server 2025 test environment and enabled Windows Firewall profiles on a Raff VPS.

In short

Windows Firewall is the first control layer between your Windows VPS and unwanted network traffic. On a production server, leave the firewall enabled, review exposed inbound rules, allow only the ports your workload needs, and remove test rules after validation. This guide shows how to check firewall profiles, inspect RDP rules, create a safe test inbound rule, and clean it up on a Raff Windows Server VPS.

Quick verdict

TaskRecommended action
Check if Windows Firewall is enabledUse Get-NetFirewallProfile
Review RDP exposureInspect the Remote Desktop rule group
Open a production portCreate a narrow inbound rule for that exact port
Test a firewall changeUse a temporary rule and remove it afterward
Expose SQL Server, IIS, or app portsAllow only required sources where possible
Unsure whether a rule is neededDo not open the port until the service requires it

Default rule: block inbound traffic unless you have a clear reason to allow it.

Why Windows Firewall matters on a VPS

A Windows VPS is reachable over the network. That makes firewall configuration part of the server’s security baseline.

Windows Firewall is a host-based firewall included with Windows. It controls inbound and outbound traffic on the machine itself. Microsoft documents Windows Firewall as enabled by default and designed to help filter network traffic by profile, rule, application, port, and other conditions.

For SMB workloads, firewall mistakes usually happen in one of two ways:

  1. Too many inbound ports are opened “just in case.”
  2. Important rules are changed without checking what already exists.

Both are avoidable.

A good Windows VPS firewall setup follows this rule:

Open only what the workload needs, keep RDP controlled, document every custom rule, and remove test rules after testing.

What we tested on Raff

We tested this walkthrough on a Raff Windows VPS running Windows Server 2025 Datacenter Evaluation.

PowerShell output showing Remote Desktop firewall rules with display name, enabled state, direction, action, and profile.

Test environment:

ItemValue
ProviderRaff Technologies
OSWindows Server 2025 Datacenter Evaluation
Build26100
CPU4 vCPU
RAMApproximately 8 GB
Test date2026-05-24
TesterAybars Altinyay

On this VM, we verified:

  • Windows Server version and hardware details
  • Firewall profile status
  • Existing RDP firewall rules
  • Creation of a temporary inbound TCP rule
  • Cleanup/removal of the temporary test rule

We did not expose a production application port in this test. The custom rule used TCP 54321 only as a temporary demonstration rule.

Step 1 - Check Windows Firewall profiles

Start by checking the firewall profiles.

Run PowerShell as Administrator:

Powershell
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction

You should see the main profiles:

  • Domain
  • Private
  • Public

In our Raff test, all three profiles were enabled.

PowerShell output showing Windows Server 2025 test environment and enabled Windows Firewall profiles on a Raff VPS.

If the Enabled column shows True, the firewall profile is active.

If DefaultInboundAction or DefaultOutboundAction shows NotConfigured, that means no explicit local default action is set in that policy view. Do not treat that as the firewall being disabled. Check the Enabled column first.

Step 2 - Review existing RDP firewall rules

Remote Desktop is the most important firewall rule group on many Windows VPS deployments.

Run:

Powershell
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Direction, Action, Profile | Format-Table -AutoSize

PowerShell output showing existing Remote Desktop firewall rules on a Windows Server VPS.

Review:

FieldMeaning
DisplayNameHuman-readable firewall rule name
EnabledWhether the rule is active
DirectionInbound or outbound
ActionAllow or block
ProfileDomain, Private, Public, or Any

For production servers, RDP deserves special care. If possible, restrict RDP access to known IP addresses, a VPN, or a trusted administrative network. Do not leave broad public RDP exposure unless you have a deliberate operational reason and additional controls.

Step 3 - Create a safe temporary test rule

For this guide, we created a harmless demonstration rule for TCP port 54321.

This shows the syntax for creating a firewall rule without exposing a real production service like SQL Server or IIS.

Run:

Powershell
New-NetFirewallRule -DisplayName "Raff Test Inbound Rule TCP 54321" -Direction Inbound -Protocol TCP -LocalPort 54321 -Action Allow -Profile Any

Then verify the rule:

Powershell
Get-NetFirewallRule -DisplayName "Raff Test Inbound Rule TCP 54321" | Select-Object DisplayName, Enabled, Direction, Action, Profile

PowerShell output showing a temporary inbound Windows Firewall rule created for TCP port 54321.

This command creates an inbound allow rule.

Important: opening a firewall port does not automatically mean an application is listening on that port. A service still needs to bind to the port before traffic can reach an application. The firewall rule only controls whether Windows allows the traffic through.

Don’t have a server yet?

Deploy Windows NowLearn MoreTalk to Windows Engineer

Step 4 - Remove the temporary test rule

Do not leave test rules behind.

Remove the rule:

Powershell
Remove-NetFirewallRule -DisplayName "Raff Test Inbound Rule TCP 54321"

Then verify cleanup:

Powershell
if (Get-NetFirewallRule -DisplayName "Raff Test Inbound Rule TCP 54321" -ErrorAction SilentlyContinue) { Write-Output "Test firewall rule still exists" } else { Write-Output "Test firewall rule removed" }

PowerShell output confirming the temporary Windows Firewall test rule was removed.

A clean firewall is easier to audit. Temporary rules should not survive the test session.

Step 5 - Use narrower rules for real workloads

For production, avoid broad rules when a narrower one works.

A broad rule looks like this:

Powershell
New-NetFirewallRule -DisplayName "Allow App Port" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow -Profile Any

A better rule restricts the source IP:

Powershell
New-NetFirewallRule ` -DisplayName "Allow App Port 8080 from Office IP" ` -Direction Inbound ` -Protocol TCP ` -LocalPort 8080 ` -RemoteAddress 203.0.113.10 ` -Action Allow ` -Profile Any

Use source restrictions for admin ports, database ports, internal APIs, and management tools whenever possible.

Common ports and what to do with them

PortServiceRecommendation
TCP 3389RDPRestrict if possible; monitor closely
TCP 80HTTP / IISOpen only if hosting a public website
TCP 443HTTPS / IISOpen for public HTTPS websites and APIs
TCP 1433SQL ServerDo not expose publicly; restrict to trusted IPs
TCP 445SMB file sharingAvoid exposing to the public internet
TCP 5985WinRM HTTPAvoid public exposure
TCP 5986WinRM HTTPSRestrict to admin IPs or VPN
Custom app portsBusiness applicationsOpen only the exact required port and source

If a workload does not require an inbound port from the internet, do not open it.

Recommended firewall workflow

Use this workflow when changing Windows Firewall on a production VPS:

  1. Identify the application and required port.
  2. Confirm whether the service is actually listening.
  3. Decide who needs access.
  4. Create the narrowest possible allow rule.
  5. Test from the expected client network.
  6. Document the rule name, port, protocol, and reason.
  7. Remove temporary or failed test rules.
  8. Review custom rules monthly.

For example, if a SQL Server instance only needs access from your office IP, do not open TCP 1433 to the entire internet. Allow the office IP only.

Useful firewall commands

List all enabled inbound allow rules

Powershell
Get-NetFirewallRule | Where-Object { $_.Enabled -eq "True" -and $_.Direction -eq "Inbound" -and $_.Action -eq "Allow" } | Select-Object DisplayName, Profile, Direction, Action | Format-Table -AutoSize

Find rules by name

Powershell
Get-NetFirewallRule | Where-Object DisplayName -like "*RDP*"

Disable a rule without deleting it

Powershell
Disable-NetFirewallRule -DisplayName "Rule Name"

Enable a disabled rule

Powershell
Enable-NetFirewallRule -DisplayName "Rule Name"

Remove a rule

Powershell
Remove-NetFirewallRule -DisplayName "Rule Name"

Check whether a port is listening

Powershell
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess

This helps separate firewall problems from application problems. If no service is listening, opening the firewall is not enough.

Common mistakes

Opening ports before confirming the service needs them

Do not open ports because an installation guide mentioned them. Confirm the service, protocol, and source first.

Exposing SQL Server to the public internet

SQL Server should normally be restricted to trusted IPs, private networking, VPN, or application servers. Public TCP 1433 exposure increases risk.

Leaving temporary test rules behind

Temporary rules become permanent risk when nobody removes them. Use clear names like Raff Test..., then delete them after testing.

Changing RDP rules without a backup access path

If you lock yourself out of RDP, you may need dashboard or console recovery. Be careful when changing RDP rules on a remote VPS.

Assuming the firewall is the only security layer

Firewall rules are important, but they do not replace strong passwords, patching, least privilege, MFA where available, application hardening, and monitoring.

What Raff recommends

For production Windows VPS workloads, Raff recommends:

  • Keep Windows Firewall enabled.
  • Keep RDP rules under strict control.
  • Restrict admin ports to trusted IPs where possible.
  • Avoid exposing database and file-sharing ports publicly.
  • Use HTTPS for public web workloads.
  • Name custom rules clearly.
  • Remove temporary rules after testing.
  • Review firewall rules after every major software install.

The best firewall rule is the one you do not need to create. Start closed, then open only what the workload requires.

FAQ

Should I disable Windows Firewall on a VPS?

No. Keep it enabled. If something does not connect, fix the specific rule instead of turning the firewall off.

Why does my firewall profile show NotConfigured?

That value means a specific default action is not explicitly configured in that policy view. It does not mean the firewall is disabled. Check the Enabled column for each profile.

Is opening a port enough for an application to work?

No. The application must also be running and listening on that port. Use Get-NetTCPConnection -State Listen to check listening ports.

Should RDP be open to everyone?

Avoid that when possible. Restrict RDP to known IP addresses, VPN, or trusted admin networks if your workflow allows it.

Can I use the GUI instead of PowerShell?

Yes. Windows Defender Firewall with Advanced Security provides a GUI for creating and editing rules. PowerShell is faster for repeatable server administration.

Tested on

Tested on Raff Windows VPS, Windows Server 2025 Datacenter Evaluation, build 26100, 4 vCPU, approximately 8 GB RAM, 2026-05-24. We verified firewall profile status, existing Remote Desktop firewall rules, creation of a temporary inbound TCP rule, and removal of that test rule. Tester: [ENGINEER NAME].

What's next

  • Windows Update Strategy on Production Servers - patch Windows Server safely with snapshots and maintenance windows
  • Connect to a Raff Windows VPS via RDP - connect to your Windows Server from Windows, macOS, Linux, iOS, and Android
  • Raff Windows Server Hub - browse Windows Server guides, compatibility notes, PowerShell commands, and version comparisons
  • Raff Windows VPS - deploy a Windows Server VPS for business software, SQL Server, IIS, RDP, or admin workloads

Sources

  • Microsoft Learn - Windows Firewall overview
  • Microsoft Learn - Manage Windows Firewall with the command line
  • Microsoft Learn - Get-NetFirewallProfile
  • Microsoft Learn - New-NetFirewallRule
  • Microsoft Learn - NetSecurity PowerShell module
Was this article helpful?

Published May 24, 2026 · Updated May 24, 2026

Back to hub
Get started
Deploy a Windows Server

Genuine, fully-licensed Windows. Full admin, RDP-ready in ~2 minutes.

Deploy Windows Now
Full admin · RDP-ready · 14-day money-back
On this page
In shortQuick verdictWhy Windows Firewall matters on a VPSWhat we tested on RaffStep 1 - Check Windows Firewall profilesStep 2 - Review existing RDP firewall rulesStep 3 - Create a safe temporary test ruleStep 4 - Remove the temporary test ruleStep 5 - Use narrower rules for real workloadsCommon ports and what to do with themRecommended firewall workflowUseful firewall commandsCommon mistakesWhat Raff recommendsFAQTested onWhat's nextSources
Ready when you are

Your Windows Server, live in ~2 minutes

Genuine, fully-licensed Windows with full admin and RDP. We handle the Microsoft licensing, billed monthly with nothing upfront. On NVMe SSD, backed by a 14-day money-back guarantee.

Deploy Windows Now
Learn MoreTalk to Windows Engineer

Related articles

security networkingWindows VPS Backup Strategy for Small BusinessesPlan a Windows VPS backup strategy for small business workloads with snapshots, backups, restore tests, app-aware recovery, and off-server copies.14 min read7/1/2026security networkingRemote Desktop Gateway vs Direct RDP on a Windows VPSCompare RD Gateway vs direct RDP on a Windows VPS for safer remote access, SMB users, RDS planning, firewall exposure, and security tradeoffs.15 min read7/1/2026Security & hardeningWindows Update Strategy on Production ServersUpdate Windows Server safely on a production VPS: snapshot first, patch on a controlled schedule, scan with PowerShell, and verify reboot state.9 min read5/24/2026