IMO the best place to start is to require some sort of secure remote access mechanism.
Most SSL VPN offerings support 2 factor, for example, and the traditional fat IPsec VPN client a sort of 2 factor authentication stemming from the way fat IPsec clients work. The way IPsec VPN clients does 2 factor: part 1) A IKE phase 1 pre-shared key that the fat client MUST provide before getting to phase 2. Some people use X.509 certificates for the phase 1. part 2) username & PW authentication via XAUTH Richard Stovall wrote: > 1) minimal cost (naturally) > 2) minimal installation footprint > 3) flexibility (different rules depending on where the user is > physically located) > 4) ease of management > 5) upgrade-ready (to future AD versions, etc.) > > All thoughts and experiences are welcome. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
