All Database Users will at minimum be a member of the public Role. This affords them basic permissions like connecting to the database. Now, you can grant or deny permissions from the public Role if you want everyone to have that permission, but that is ill-advised.
Understood. As for altering the "basic" permissions the Public role has, that would get my SQL Servers yanked off the network around here... If it weren't for the fact that removing (if even possible) the Public Role would break just about everything in SQL, that's what they'd want done...
Yes, where I work is that maniacally security oriented. The best way to say what the rules are for setting up / configuring servers?
This site is the be-all / end-all bible:http://iase.disa.mil/stigs/index.html
That said, just because a User is only a member of public does nor mean they have no permissions. Users can be granted permissions directly.
OK. But, in this case, I know the users have no other permissions granted, only what they've got through role membership.