Using Windows Defender Firewall on your VPS
What this is
Windows VPS has no managed edge firewall in front of it (that's a Linux VPS feature), so Windows Defender Firewall is the network layer, and the good news is its default posture is already right: inbound connections are blocked unless a rule allows them. Windows and its services create their own rules (RDP's exists out of the box), so your job is only two things: open ports for what you deliberately serve, and tighten the rules you inherited.
Opening a port for your application
Say your app listens on TCP 8080. First, remember a port only answers if something is listening, confirm your app runs, then allow it:
PowerShell (fastest):
New-NetFirewallRule -DisplayName "MyApp 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow
GUI: run wf.msc → Inbound Rules → New Rule → Port → TCP, 8080 → Allow → name it. Same result.
Then verify from outside (your own machine): Test-NetConnection YOUR.VPS.IP -Port 8080, or any online port checker, reading the result with the closed-vs-filtered rule. Ask an AI chatbot to draft rules for anything fancier (port ranges, UDP, specific programs), New-NetFirewallRule has a parameter for everything.
Restricting RDP to your own IPs
The highest-value tightening on the whole server, RDP reachable only from addresses you control ends the brute-force question outright:
wf.msc→ Inbound Rules → find Remote Desktop - User Mode (TCP-In).- Properties → Scope tab → Remote IP address → These IP addresses → add your home/office IPs (find yours on any "what is my IP" site).
- OK, the change applies immediately.
Two safety notes: your home IP may be dynamic, so add a range or your mobile carrier's egress too if you can, and know the fallback before you need it, the Console in your client area reaches the VPS without RDP, so a scope mistake locks the door, not the house. (PowerShell equivalent: Set-NetFirewallRule -DisplayName "Remote Desktop - User Mode (TCP-In)" -RemoteAddress 203.0.113.7.)
The habits
- Don't turn the firewall off to "test something", allow the specific port instead. Off means every listener on the machine is public.
- Profiles (Domain/Private/Public): on a VPS the network is Public; when creating rules, applying them to all profiles avoids surprises.
- Audit occasionally:
Get-NetFirewallRule -Enabled True -Direction Inbound | Where-Object Action -eq Allowlists everything you're allowing in.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP and the port involved,
- the rule you created or changed,
- what an outside test of the port shows (refused, or a timeout).
Related questions
- "How do I open a port on my Windows VPS?"
- "How do I restrict RDP to my IP address?"
- "Is there a firewall in front of my Windows VPS?"
- "Should I disable Windows Firewall to test?"
- "How do I list my inbound firewall rules?"