First things first. You do know that CIS is not supported on the server platform?
You make no mention of which mail server your using or which specific services you require, as each will have their own requirements. Also, is this a publicly accessible server, or just available to other LAN clients? If it’s publicly accessible, I’d seriously suggest you take some time to create specific rules to support the services you need to host. Using generic rules like trusted or allowing everything in and out is not a good idea.
With regard to Application rules, you’ll need to change the rules for the System process, which you currently have blocked and you really should loose the rules for Windows System Applications and Windows Updater Applications, as these rules have crossover with defined rules for the System process and svchost.exe.
As I mentioned in my earlier post, you will need to create both Application rules and Global rules to support each service, for example DNS.
To allow the DNS server service to function correctly (do you do zone transfers?) you will need a Global rule:
Action - Allow
Protocol - TCP and UDP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 53
It would be even better to create two separate rules, one for TCP and oner for UDP, but that’s your choice.
To complement this Global rule, we’ll need an equivalent Application rule:
Application name: C:\Windows\System32\dns.exe
Action - Allow
Protocol - TCP and UDP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 53
Action - Allow
Protocol - TCP and UDP
Direction - OUT
Source Address - ANY or better, use the MAC address of the server
Destination Address - ANY
Source Port - 53
Destination Port - ANY
A similar process will be needed for Internet Information Services. I’m assuming you’re using both the web services and the ftp services?
The Global rule(s) for HTTP and HTTPS would look something like:
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port 80 (to support SSL add port 443. If you need other ports create a port set)
The Application rule(s) to complement this would look something like:
Application name: System
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 80 (to support SSL add port 443. If you need other ports create a port set)
For FTP your global rule would be something like:
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 21 (if you need sftp you’ll need to add port 990)
The Application rule(s) to complement this would look something like:
Application name: Svchost.exe
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 21 (if you need sftp you’ll need to add port 990)
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - 20
Destination Port - ANY
Action - Allow
Protocol - TCP
Direction - OUT
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - 989
Destination Port - ANY
If you need to support passive ftp you’ll need to adjust the ports accordingly.
For RDP/Terminal srvices your Global rule will be something like:
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 3389
And your complementary Application rule:
Application name: Svchost.exe
Action - Allow
Protocol - TCP
Direction - IN
Source Address - what ever is appropriate here
Destination Address - ANY or better, use the MAC address of the server
Source Port - ANY
Destination Port - 3389
With MSSQL you’ll have to decide if you’re using a static port or dynamic ports, as the rules will be different. There may also be some additional rules depending on which of the SQL services you use and to what use the Database put.
Basically, repeat the process outlined above for each service you wish to use, substituting the appropriate process name, protocols and port numbers, where appropriate.