Blocking IP addresses in the Windows Firewall on a Windows Server can be done for various reasons, primarily to enhance security and control network access.
Here are some common reasons why administrators might choose to block specific IP addresses:
1. Security Concerns: Blocking specific IP addresses can be a security measure to protect your server from potential threats, such as malicious activity, hacking attempts, or unauthorized access. If you notice suspicious or malicious traffic from certain IP addresses, blocking them can help mitigate the risk.
2. Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) Protection: Blocking IP addresses can be part of a strategy to defend against DoS or DDoS attacks. By blocking IP addresses associated with the attack, you can reduce the impact on your server's resources and maintain service availability.
3. Unauthorized Access Prevention: If you have identified specific IP addresses that should not have access to your server (e.g., due to policy violations or unauthorized access attempts), blocking those IP addresses in the firewall helps enforce access controls.
4. Protection of Specific Services: Blocking IP addresses can be used to protect specific services running on your server. For example, if you want to limit access to a specific port or service (e.g., Remote Desktop Protocol - RDP), you can block IP addresses that should not have access.
5. Preventing Brute Force Attacks: Blocking IP addresses after multiple failed login attempts (brute force attacks) is a common security practice. This helps protect against unauthorized access attempts by restricting access for IP addresses that repeatedly fail authentication.
6. Malware Prevention: Blocking IP addresses associated with known malware sources or command and control servers can prevent infected systems from communicating with your server.
The following article will assist you in blocking a single IP address or a range of IP addresses in the default firewall of Windows Server 2016/2019:
1. Login to your VPS via RDP. Please refer to how to login to your VPS using RDP.
2. Click on Start >> Search for Windows Defender Firewall with Advanced Security >> Select Windows Defender Firewall with Advanced Security.
3. From the left pane of the Firewall window, click on the 'Inbound Rules' option.
4. From right-pane, click on "New Rule".
5. A New Inbound Rule Wizard will be opened. Here, click on the Custom button and then click on Next.
6. Make sure that the All Programs option is selected. Then, click on Next.
7. In the Protocol and Ports wizard, leave all the options at its default and click Next.
8. In the Scope wizard, you will see two boxes. The first one is for local IP addresses, and the second is for remote IP addresses. In this scenario, we are trying to block an outside (remote) IP address from accessing anything on the server, so we will need to add the IP address to "These IP addresses" section only, as it will not be a local IP address.
9. Add the IP address which you wish to block in "This IP adddress or subnet" option and click on Add button. Here we will add a single IP address to the rule. You can also add an entire range at this point if you wish. After adding IP address(es), click on OK button.
10. Under Which remote IP addresses does this rule apply to?, added IP address will be seen. Click on Next button.
12. Select Block the connection option from the Action wizard and then click Next.
13. Leave all of the options checked in the Profile wizard. This will block the IP address, no matter the connection they are trying to use. Then, click on Next.
14. Mention the name of the rule in the Name wizard (it can be something you can remember in case you wish to remove or edit it in the future). Here we have added the name "Name_of_the_rule". Now, click on Finish.
That's it. You have successfully blocked the IP address.