In short
Windows Firewall is the first control layer between your Windows VPS and unwanted network traffic. On a production server, leave the firewall enabled, review exposed inbound rules, allow only the ports your workload needs, and remove test rules after validation. This guide shows how to check firewall profiles, inspect RDP rules, create a safe test inbound rule, and clean it up on a Raff Windows Server VPS.
Quick verdict
| Task | Recommended action |
|---|---|
| Check if Windows Firewall is enabled | Use Get-NetFirewallProfile |
| Review RDP exposure | Inspect the Remote Desktop rule group |
| Open a production port | Create a narrow inbound rule for that exact port |
| Test a firewall change | Use a temporary rule and remove it afterward |
| Expose SQL Server, IIS, or app ports | Allow only required sources where possible |
| Unsure whether a rule is needed | Do not open the port until the service requires it |
Default rule: block inbound traffic unless you have a clear reason to allow it.
Why Windows Firewall matters on a VPS
A Windows VPS is reachable over the network. That makes firewall configuration part of the server’s security baseline.
Windows Firewall is a host-based firewall included with Windows. It controls inbound and outbound traffic on the machine itself. Microsoft documents Windows Firewall as enabled by default and designed to help filter network traffic by profile, rule, application, port, and other conditions.
For SMB workloads, firewall mistakes usually happen in one of two ways:
- Too many inbound ports are opened “just in case.”
- Important rules are changed without checking what already exists.
Both are avoidable.
A good Windows VPS firewall setup follows this rule:
Open only what the workload needs, keep RDP controlled, document every custom rule, and remove test rules after testing.
What we tested on Raff
We tested this walkthrough on a Raff Windows VPS running Windows Server 2025 Datacenter Evaluation.

Test environment:
| Item | Value |
|---|---|
| Provider | Raff Technologies |
| OS | Windows Server 2025 Datacenter Evaluation |
| Build | 26100 |
| CPU | 4 vCPU |
| RAM | Approximately 8 GB |
| Test date | 2026-05-24 |
| Tester | Aybars Altinyay |
On this VM, we verified:
- Windows Server version and hardware details
- Firewall profile status
- Existing RDP firewall rules
- Creation of a temporary inbound TCP rule
- Cleanup/removal of the temporary test rule
We did not expose a production application port in this test. The custom rule used TCP 54321 only as a temporary demonstration rule.
Step 1 - Check Windows Firewall profiles
Start by checking the firewall profiles.
Run PowerShell as Administrator:
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
You should see the main profiles:
- Domain
- Private
- Public
In our Raff test, all three profiles were enabled.

If the Enabled column shows True, the firewall profile is active.
If DefaultInboundAction or DefaultOutboundAction shows NotConfigured, that means no explicit local default action is set in that policy view. Do not treat that as the firewall being disabled. Check the Enabled column first.
Step 2 - Review existing RDP firewall rules
Remote Desktop is the most important firewall rule group on many Windows VPS deployments.
Run:
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Direction, Action, Profile | Format-Table -AutoSize

Review:
| Field | Meaning |
|---|---|
DisplayName | Human-readable firewall rule name |
Enabled | Whether the rule is active |
Direction | Inbound or outbound |
Action | Allow or block |
Profile | Domain, Private, Public, or Any |
For production servers, RDP deserves special care. If possible, restrict RDP access to known IP addresses, a VPN, or a trusted administrative network. Do not leave broad public RDP exposure unless you have a deliberate operational reason and additional controls.
Step 3 - Create a safe temporary test rule
For this guide, we created a harmless demonstration rule for TCP port 54321.
This shows the syntax for creating a firewall rule without exposing a real production service like SQL Server or IIS.
Run:
New-NetFirewallRule -DisplayName "Raff Test Inbound Rule TCP 54321" -Direction Inbound -Protocol TCP -LocalPort 54321 -Action Allow -Profile Any
Then verify the rule:
Get-NetFirewallRule -DisplayName "Raff Test Inbound Rule TCP 54321" | Select-Object DisplayName, Enabled, Direction, Action, Profile

This command creates an inbound allow rule.
Important: opening a firewall port does not automatically mean an application is listening on that port. A service still needs to bind to the port before traffic can reach an application. The firewall rule only controls whether Windows allows the traffic through.

