This is a very large question and depends on different factors, like the location of the server (in local intranet, DMZ etc), user authentication model, design of the database, ability to restrict access on row level basis, securing backups etc etc
I suggest that you start from for example:
Securing SQL Server[
^].
Also have a look at these for restricting user access:
-
http://msdn.microsoft.com/en-us/library/ms187936.aspx[
^]
-
http://msdn.microsoft.com/en-us/library/ms187965.aspx[
^]