Small Web Hosting Company Study Case
Windows 2016 Web Server Public/Private IP 103.28.251.162/192.168.0.1
Windows 2016 Server Public/Private IP 103.28.250.99/192.168.0.2
Web Server Firewall Configurations
HTTP : HTTP uses port 80 for communications. Thus port 80 has to be open. From the firewall settings, the World Wide Web Services (HTTP) should be on so it can respond for clients requesting on port 80.
HTTPS : HTTPS uses port 443 for communications. World Wide Web Services (HTTPS Traffic-In) should be allowed to establish HTTPS connection.
FTP/S : FTP over SSL/TLS would be complicated to be configured within a firewall. This protocol basically runs on port 990 for implicit SSL and port 21 for explicit SSL for the command connection which is the one used to establish the connection between server and client. Once established, a new common port for data connection will be created. As this secondary port will be dynamic, the firewall would automatically drop the connection. Therefore, a small range of ports should be configured and opened for the data connection ports.
SMTP : By default, SMTP servers these days uses port 587 as it is equipped with the TLS encryption for secure communication and mostly used for mail submission and relays. Port 25 does not provide a secure encryption, but this still mostly used for mail relaying to other web servers. There will be no other services running on this port as well. As the SMTP service for this web server is only to send emails, it should open outgoing port 25.
Remote Administration : For this feature, an IIS management services would be installed. By default, after the enabling remote connection in management services, port 8172 will be opened in Windows Firewall. However for additional security of remote access, we can limit the IP addresses and users that can have access through blacklists and whitelists.
Windows Server Firewall Configurations
MariaDB : By default this database uses port 3306. To open the connection for MariaDB in this server, you would have to allow inbound connection on port 3306 in Windows Firewall
MSSQL : SQL Server default instance uses a static port 1433. For named instances of SQL Server, it uses the a dynamic port with the help of SQL Server Browser Service to monitor ports and direct incoming connections to a designated port. However, in this case as it would be a company environment and it would be better to set static ports.
Remote Administration : For this feature in Windows Server, it would have to install Windows Remote Management. It needs to allow connections on port 5985 for HTTP requests and port 5986 for HTTPS requests.
Marcellus's Blog 