Quick answer: Manage the Windows VPS firewall in wf.msc. Add inbound rules to allow web ports (80, 443), and scope sensitive ports like RDP to your known IP under the rule's Scope tab. Always keep RDP allowed for your own IP so you do not lock yourself out.
Windows Defender Firewall controls which ports and programs on your VPS are reachable. A clean rule set - allow what you need, block the rest, and scope sensitive ports to known addresses - is one of the simplest ways to reduce risk. Here is how to manage it.
You are connected over RDP, so never block the RDP port for your own IP. Confirm an allow rule for RDP exists before tightening anything.
Run wf.msc to open Windows Defender Firewall with Advanced Security. Rules are split into Inbound (traffic coming to the server) and Outbound. Most web-server work is inbound.
To let visitors reach a site, open HTTP and HTTPS. In Inbound Rules choose New Rule > Port > TCP, enter 80,443, and allow the connection. Or use PowerShell:
New-NetFirewallRule -DisplayName "Web 80/443" -Direction Inbound -Protocol TCP -LocalPort 80,443 -Action Allow
Administration ports such as RDP or a database port should not be open to the whole internet. Edit the rule, open the Scope tab, and under Remote IP address add only your office or home address. Now only those addresses can reach the port at all.
To close a service, disable or delete its inbound rule. Review the existing rules periodically and remove anything you do not recognize - some installers add rules automatically.
From an outside network, confirm the intended ports respond and the restricted ones do not. Keeping the open-port list short is the goal; every closed port is one less thing to attack.
How do I avoid locking myself out?
Confirm an allow rule for RDP scoped to your IP before tightening other rules.
How do I restrict a port to my IP?
Edit the rule, open the Scope tab, and add your address under Remote IP address.
On a SoftSys managed Windows VPS our team configures and maintains the firewall for you, keeping only necessary ports open and locking RDP and database access to trusted IPs.