Use Windows group logins to simplify ongoing management where possible.
Disable logins rather than dropping them if there is any chance that they will be needed again.
Ensure that expiry dates are applied to logins that are created for temporary purposes.
Use fixed server-level roles to delegate server-level management responsibility, and only create user-defined server-level roles if your specific administrative delegation solution requires them.
Disable the guest user in user databases unless you specifically require guest access.
Aim to grant the minimum number of explicit permissions possible to meet the security requirements, and use membership of roles and inheritance to ensure the correct effective permissions.
Ensure every user has only the permission they actually require.
