iis security: I have a web site that will connect to our HR system for employees to
view benefit info, pay stubs, w2's etc from outside the office at home.
Which is a better way to secure access to this server, just use an ssl
certificate or should I use an ssl vpn? The web server can sit either
inside the network or in a DMZ. Either way I hope to use two factor
authentication such as RSA tokens to add a layer of protection.

It is really hard to give you a sound advice since we don't have enough
information here (e.g. all functionality requirements for the website), but
if this is more or less standard HR webpage then SSL should be more then
enough...

--
Mike
Microsoft MVP - Windows Security

[quoted text, click to view]

[quoted text, click to view]

It sounds like this is personal, non-public information. That may be
covered by HIPAA, GLB, or some other regulation, so I would be careful.
Perhaps a talk with corporate counsel would be smart.

You may get better security with an SSL-based VPN since some come with
tools that check the client for security such as the age of the virus
database, etc. You will also get increased cost, since you should be
able to roll your own certs. I would look at the functionality of the
SSL-VPNs and see if they would help you sleep better at night ;). They
should all talk Radius, which will allow you to integrate 2 factor
authentication.

HTH,

nick
--
Nick Owen
WiKID Systems, Inc.
Commercial/Open Source Two-Factor Authentication
http://www.wikidsystems.com
https://sourceforge.net/projects/wikid-twofactor/