Along with what Grant stated, if they can read it in SSMS they are going to be able to copy it out whether it be with a screen capture or copy/paste in certain areas. IMHO, your security policy should include something that covers data usage and access for your company. You can only physically and logically protect your data so far, once you reach that point your company should have some standard policy that kicks in and does the rest. I work with a good bit of data with the company I am contracted to and signed an NDA agreement. The wording in that agreement speaks on acknowledging that I am aware of the repercussions that occur if my account is found to have been used to access or leak any information (of any kind) that was not authorized. Just my $.02
- Set up a computer in a monitored room. - Remove any removable drives. - Configure firewalls so that the only network connectivity the system has is to SQL Server. - Revoke users' rights from SQL Server - Create new logins for access via this new mechanism - Take a ruler to their knuckles if they try and copy anything to paper. Seriously, a certain level of trust is implied by granting their logins access to the data in the first place. If they are allowed to "see" the data why are they not allowed to work with it?