How do I let a remote user (an outside sales rep) have limited
access to the company intranet
(e.g., certain reports)? Currently our network is an NT4 domain with a Win2k IIS server for intranet. The firewall is a Symantec Enterprise Firewall version 7 on an NT4 SP6a, but not a member of the domain. Company sales reps are given access to the intranet via a VPN tunnel on the firewall and can access critical areas with NT authentication. The majority of the intranet is available to inside users and sales reps through "IUSR." However, some of these areas should not be available to this remote user. Do we direct this user to a different homepage, use Terminal Server or something else? I am mainly looking for a direction to go with this for the best security.
There are many factors to consider here. The "best" security will depend on how you are set up and exactly what you wish to accomplish. One method, the easiest way to restrict this user's access, is to use file permissions. Make IUSR_
only able to access those areas that should be seen by anyone. Remove access for this account to any sensitive areas. Then create a user group for other "internal" users and give that group permissions to folders and files that you want to protect. Add approved users to the group. When a user accesses the protected files, their credentials are checked, as is their group membership. Your remote user won't belong to an approved group and thus will be denied access.
Another way to restrict access would be to provide a separate server for these "everyone and my remote user can look see." You then need to set up permissions, etc. for each server and maintain them as well. If your user is VPNing in, and you've set encryption and authentication as securely as you can, you've already mitigated substantial risks. Now finesse the design until you're happy it works as you want. Document it and be aware that you'll need vigilance to keep it working correctly.