The windows firewall exception in the msi installer allows all access to the JVM (there is no filtering - it allows connections on any port including JMX/RMI/debugging if enabled...)

This should be restricted (and maybe split into multiple rules) to allow
http(s) access from anywhere
CLI /SSH access and LAN only.

In order to do this we would need to have the CLI and SSH ports defaulted to not be random at startup.

Ideally the installer should actually ask the admin if they want the exceptions and what exceptions to add.