I have users that want to use remote desktop for remote access to their workstations. I have RADIUS connected VPN server that I use, however I remember to connect and disconnect rather than send web traffic over the VPN.
I doubt they will do this, because the previous IT consultant left them RDP open and didn't even suggest to change passwords such as 1234,password and {insert child/pet name}. Now they have to use the Password policy that R2 ships with , so I know we are more secure in that regard.
So the most important issue is how dangerous is leaving 7 and XP Remote open to the internet?
The RDP protocol with NLA, and the higher levels of security is pretty secure from interception from someone. The problem with RDP is that you basically have something that is open that people could possibly be used to brute force into your network.
If you do choose to enable that, it will be very important to setup pretty harsh account lockouts. Setup a good IPS/IDS, and make sure you log access.
If this is something you need to permit, without an additional software configuration on the client, I do suggest you at least look at setting up a terminal services gateway. This will permit you to control, monitor, and limit RDP.
I wouldn't generally recommend using RDP directly over the Internet, if only because using a VPN gives you an additional layer of authentication (and the possibility to easily integrate hardware tokens). The RDP protocol does include encryption and, if you're using the newest versions of the RDP client, authentication of the remote server (and potentially mutual authentication via Kerberos-- "Network Level Authentication", or NLA in Microsoft parlance).
The main problem with RDP isn't the protocol, but rather problems with brute force password attempts. Your edge firewall can, hopefully, rate-limit new connection attempts. There are host-based solutions to block IP addresses sourcing repeated brute force connection attempts, but that's only putting a finger in the dike. Good password policy is helpful, but you can't ever be sure that your users aren't using the same passwords somewhere outside of your control (a third-party site that gets "owned", etc). Adding VPN authentication on top of the RDP password gives a belt-and-suspenders approach.
The "con" that I've heard expressed with VPNs versus direct RDP relates to the IP-level connectivity to the LAN afforded to VPN clients. To this, I'd say simply terminate your VPN in a DMZ and limit the traffic in and out of the VPN. This isn't a valid argument for using RDP over the Internet versus a proper VPN.
If you have passwords set to be of a decent length and complexity, RDP is encrypted, so it for the most part is secure. I personally wouldn't do it, preferring to use something like a Cisco VPN client on workstations then VPN to the workstation rather than leaving it open to the webbertubes. RDP can be susceptible to MITM attacks and you'll probably get bots and scans that will probe them.
I'd also set your policy to lock out accounts if they are tried 3 times with incorrect passwords to prevent/minimize brute force attacks.
Summary: it's probably secure enough to do this, but it's bad practice and should be avoided.
EDIT: there are worms that attack RDP, so you'll want to be mindful of this in enforcing your policies. I.e., Morto.
Leaving RDP open to the Internet is never a good idea. Little people from other Countries will brute force accounts on your server/domain constantly. This will lock out accounts and could eventually lead to a break-in. It would be better to force them to connect a VPN and tunnel RDP traffic.
*Edit: I should be fair... the little people hacking you are not always from other Countries. ;-)