Since testing is the primary goal here, I won’t discuss the security practices related to Windows+Apache+MySQL+PHP. But with a simple step you can secure your test server from external attacks: configure your firewall to block all Internet access to the server, as only your computer or your local network needs access to it.

On other hand, don’t think that test servers don’t need any protection. If you leave the server open to Internet, you’ll be exposed in the same way as production web sites, since hackers/crackers usually scans ranges of IP numbers looking for known vulnerabilities instead of targeting specific web sites.