I agree that is EXTREMELY open-ended. I would start with finding out which logins/AD groups have high privileges at the server and database levels. I would also review this at the server level.

You could go more formal and review the DoD STIG definitions and decide whether each item applies.

CEWII