Out of convenience, I have set the firewall rules of one of our customers' Windows 2008 R2 server so that it is open for all incoming traffic, all port and all programs, but the scope settings limit it to one specific remote IP address - ours. The reason is that we access the database and other programs remotely.
Question: is such a setting risky? Should I put effort into establishing separate rules for specific ports and programs in addition to our fixed IP address?
As a developer, I find it hard to estimate the danger of IP spoofing and whatever other hacking techniques there may be that can take advantage of that setup.
In general, the less attackable surface area, the better. You're are on the right track with constraining that down to a specific source IP. Following the least privilege principal, you should deny all destination ports and only open up the ones you actually need. You would then have to weigh the cost of administration against the risk. The risk is going to depend on several things such as how sensitive the data is you are accessing, if the server is compromised, what is the quantified loss, etc.
That being said, it is far more likely that an attacker will exploit a vulnerability on the customer's server from inside their own network than it would be for them to perform a man in the middle attack and nab your credentials, sensitive db material, etc. IP spoofing in practical application would not be much of a worry here. It is usually used to scan a network or to frame another machine/IP. It becomes extremely complicated to spoof an IP and do anything functional when using protocols that require a session to be setup between a source and destination. Possible, but not probable. (see arp or dns poisoning)
Another more likely attack vector (to the DB) could be that your own machine/network is compromised, and the attacker could pivot from there and hit the DB machine. Of course, at this point, you would have bigger problems. ;) Hope this helps a bit.
It is an unnecessary risk. Most database access could be handled by certificate authentication. 'Other programs' is too vague. Does this mean you need to authenticate with a remote windows computer over the Internet? Sounds like a VPN would be useful. Seems unlikely to me in this day and age that two organizations on the Internet would not have firewalls capable of establishing an IPSEC VPN connection between them.
Given your explanation of the scenario, I'd say restrict access to a single IP (the public IP address of your firewall), and manage who is allowed to reach the various server services through that public IP via your firewall rules.
As long as your IP address is static, you should be fine.