I agree that is EXTREMELY open-ended. I would start with finding out which logins/AD groups have high privileges at the server and database levels. I would also review this at the server level.
You could go more formal and review the DoD STIG definitions and decide whether each item applies.
CEWII