We worked with a client to set up a Terminal Services server running Windows 2003 to allow employees to sign in remotely to work. This was an easy setup and worked immediately without any issues. TS was chosen because users needed to run applications and not just view files or email.
It was noted during a recent audit of the company that because "users authenticate remotely via TS, not a VPN" that the setup was unacceptable. My understanding has always been that credentials are passed securely (read: encrypted) from the client. Are the auditors correct in their assessment? If their point is that the users should first VPN to the server and *then* sign in to TS, I could see that point - but even then, isn't that overkill given that RDP sessions pass credentials securely?