the 2005 stored procs that modify system config values, and go out to AD or the server registry and disk subsystem. Basically the ones that can reach outside the database. We disable public access to them and create user roles for the ones that we use and grant rights to the roles to our users and developers.