If your users are connecting through an application server you can put the SQL Server behind a firewall and just allow access through the firewall to the app server IP address, thus denying enyone else access.