Password protecting directories is not new. The next step up would be firewall policies. You may allow only RDP access to specific IP addresses. However, you may need something between. For example, most ticket systems today are web-based. This makes it easier for admins to work remotely. However, these ticket systems contain the most important company data. Passwords, client names, IP addresses, etc are all documented in tickets.

Most ticket systems have a customer portal that allows customers to view their tickets. Then their is the admin or staff side. Let us say your ticket software is installed at the address: support.yourcompany.com. Customers can go to that URL to submit and view tickets. The staff will usually login via the URL: support.yourcompany.com/staff or support.yourcompany.com/admin. That’s fine, but personally, I’d feel a little better if this was restricted to prevent joe blow from seeing a login prompt. Remember, you cannot completely lock this URL down at the firewall because customers still need access to it. You can however use an old fashioned .htaccess file with an ACL inside.

Code:

The example above would need to be placed on your webserver in the /staff and /admin folders of your URL. Anyone visiting those URLs from hosts other than the ones listed in the .htaccess file will receive an error message.