OpenHack 4 was a competition sponsored by eWeek. They invited Microsoft and Oracle to lock down an application (Microsoft had to re-write it since it was in JSP, so they converted it to .NET) and then had an open invitation hack fest. The only break was on the Oracle side, but I believe it was an issue in the application code (provided to the competitors) itself. Even so, it was a relatively minor break.
Microsoft made heavy use of non-standard things like revoking public access to almost all tables and stored procedures. In addition, they made very heavy use of IPSec policies between the various servers.
The permissions which public maintained:
SELECT on spt_values
EXECUTE on sp_MShasdbaccess
Keep in mind that altering permissions results in a non-standard config, meaning Microsoft may require you to put permissions back the way they were before supporting you.
Here are some of the tables where I saw difficulties if you dropped the public roles access:
syscharsets
sysdatabases *
* This one is a biggie for linking with Access and the like. You can get away with not having access to syscharsets, but sysdatabases can be a show stopper to creating an ODBC connection.
As far as system stored procedures, there are probably too many to enumerate. Consider that when MS Access goes to get a list of tables, it use sp_tables, etc.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley