Windows server best practice - Allow Internet access?

[1stresponder]

I'm looking for best practices documentation that addresses Internet access from internal servers. What's considered the best practice? Allow ports 80 and 443 through the firewall from internal servers (not Internet facing), or block? Best practice would have servers updated/patched from local server within their internal network segment. I found documentation on TechNet that covers domain controllers, but nothing that mentions everything else. TechNet at least says domain controllers should have no access through the firewall to the Internet. My concern now is the other servers installed on the inside. Not the Internet facing servers installed within the DMZ, but servers installed on the inside supporting internal operations only. Does anyone know where I can find documentation from a well-known source?

[tarhibniamul]

For best practices, restrict outbound traffic from internal servers to only what's necessary for their function. Implement default deny policies, least privilege access, network segmentation, proxy or gateway filtering, logging and monitoring, patch management, and access control lists (ACLs). Consult industry standards and guidelines from sources like CIS, NIST, and vendor documentation.

[Steve R Jones]

Note that this thread was posted -> February 7th, 2015

[ShafaqatBlogger]

Best practice for internal servers not facing the internet is generally to block internet access and restrict ports 80 and 443 through the firewall. This minimizes exposure to potential threats. Instead, updates and patches should be managed through a local WSUS (Windows Server Update Services) or similar solution within the internal network. While TechNet provides guidance on domain controllers, for other internal servers, look for security hardening guides from reputable sources like the Center for Internet Security (CIS) or Microsoft?s security best practices documentation.