So far as I recall, the admin_add* pages
dont require ldap authentication, in other words, they are a potential security risk. Although it would take some carefully crafted scripting to actually attack you using these pages, so the risk is fairly low. That said, as OA becomes more popular, sooner or later some hacker will find a way. I would suggest that using VPNs to connect to the server site, would give you more security, as suggested elsewhere.
Using SSL (i.e. https:) is supported on all pages including the admin_add* pages. To enable, go to the Admin> Config page, and enable it from there. If you find it doesn't work, you may have to edit include_config.php manually to switch it back off.
The exact method of setting up Apache or IIS to work with SSL/HTTPS will very much depend on your particular site. (If you use Xampp, most of the hard work is done for you).