A outsource support group wants Port 80 and Port 443 opened in order they can log onto a server. They don't want to RDP into the system to do maintenance.
Is it dangerous and foolish to open Port 80 and Port 443 and port forward it to a particular server?
Their next suggestion was to port forward and white list their IP to allow only traffic from their office to that server. Is this wise?
Ports 80 and 443 are very popular and they can be discovered by attackers easily.
Make sure you understand what is flowing inside those ports. Make sure to use 443 because traffic is encrypted.
Opening them from a restricted IP reduces the attack surface.
The best way to stay protected is always a VPN and they should that instead of other protocols.
I setup the outsourced group with a VPN, and they use RDP to access the server. They now want a new way to access the server. They haven't explained why and I didn't agree to their request. However for the sake of peace, I said I would ask other people in the field if they agree to open port 80 and port 443.
What did you mean by "Opening them from a restricted IP reduces the attack surface"?
You could only allow a set of public IPs through the firewall to your web site from the Internet.
For opening a website from the outside, you need to make sure the site is secure from XSS or SQL Injection and make sure that only secure SSL cyphers are allowed. If you don't know how to do that, I would leave them VPN.