While I agree completely with your comments about Windows authentication, I don't believe they go far enough.
Sql Server comes in many flavours, one of which is a Desktop version. I believe the very existence of this version of the product strongly implies that Microsoft expects, even encourages, us to develop bespoke databases for clients (and of course, the existence of the MSDE engine supports this inference).
In such an environment, I can expect to provide a tailored solution to one or more clients. Such a solution may involve software (programming), hardware (machines) and data (stored in databases <g>
. The client may elect to allow a number of users some type of access to all or some of the data - including a mobile access requirement (e.g. for a travelling salesman to work on his numbers at night in his hotel room). Now, in order to meet this type of requirement, the client can make available a copy of the database to run under the Desktop version of Sql Server.
As the designer and implementor, I can impose whatever security my client desires. Perhaps his salesmen are to be denied access to one or more tables. But once the database has been copied to the salesman's machine, all existing Sql Server security has just gone out the window. Removing the BUILTIN/Administrators works only on the database machine on which you remove that login. By copying such a database to another machine, anyone who has administrative NT rights on that second machine instantly has unfettered access to the copied database (I've tested this by creating a test database and removing all access; as soon as I copied the database to another machine, all read/write access was restored).
Even humble old Microsoft Access does better than this with its user security. The problem lies in where Sql Server chooses to store its security information - i.e. not in the target database.
I have discussed this issue with various Microsoft technical people - once they understand the problem, they simply trot out the usual trite remarks about "there's no security without physical security". Even most of the Sql gurus don't seem to realize just how fatally flawed Sql Server is in this respect - I guess they're not really thinking of Sql Server being used in this way.
Imagine the howls of protest (and even the derision and laughter) that would ensue if Microsoft were to announce that anyone with NT administrative rights on _any_ machine would _automatically_ have similar rights over _all_ other NT machines!