This issue has been addressed a lot on various sites. Start with this one:
http://www.sqlsecurity.com/DesktopDefault.aspxFWIW - I don't agree with this approach. While the software is yours, the data belongs to your client. There is a lot of value in providing a mechanism that your client can use to access their data, outside of an export. I do understand that you might not want the client viewing your code, and you can encrypt the procs to help with that.
Just my $0.02
-Mike
>We are trying to prevent the local administrator from getting into SQL tables and stored procedures. The server belongs to the company; our software is leased to the user for use only. We would like to block the local administrator from getting into the tables using Enterprise Manager or Query Analyzer. In the SQL Server Properties, under authentication, we only have two options SQL Server and Windows or Windows only. How can a software company like us use SQL Sever with a local Administrator and protect the data?