Question : Access to a server from a possibly unprotected computer

My company has deployed a new payroll system.  Windows based.  They want to allow access to the server's web application to view and print payroll information from home.

My concern is that some "home" users may not have the proper antivirus protection or malware protection on their home PCs.  The web application would allow users to log in to a website to view and print pay stubs and so on.

What if anything can go wrong with this scenario?  What are we opening ourselves up to with regard to viruses, intrusions, etc...

Answer : Access to a server from a possibly unprotected computer

I presume this is behind a corporate firewall, and users have to VPN into it to hit this payroll system page.

That's foremost.  It shouldn't be published directly to the 'net -- anyone can and will find it, and bruteforce passwords, hack away, etc.

So that way, you're limiting to your home users.  Still not ideal for the points you bring up, primarily: they may not have up to date/patched/secured PCs themselves.

Which means, for instance, they could be compromised, and with keystroke loggers on their PCs, which gives anyone full access to your site, including VPN info -- if your VPN is limited to username/password for security.

You should consider additional security measures, like, ensuring all machines that connect are 'sandboxed' until they're patched and up to date/virus scanned, etc -- then allow access to internal network.  Not foolproof, but a good start.

foolproof is not allowing it to begin with :-)