Our software runs on 443 (https) on IIS and our network administrator insist on closing port 80 on the firewall. Port 80 would be used to redirect to 443.
The problem is that the users now need to type "https://" specifically in the browser to access the site (which they don't). Without port 80 it isn't possible to redirect to 443.
So, does closing port 80 make the server more secure?
Best Answer
There is a argument that is occasionally made that disabling the port 80 protects you from errors created by you web developer. Who might unitentionally have a form with data that needs to be secure aimed at the http site instead of the https site. If port 80 is closed then the tcp handshake will fail and no data will be sent insecurely. If port 80 isn't closed and the user's browser is badly configued then secure data might be sent insecurely.
There is an attack called SSL stripping. this attack tool can watch for redirects from http to https and then adjust the redirect sent over http to point at the proxy in a way that will keep the traffic unencrtped rrsulting in a MITM.
See also: