As a further security measure you could take a leaf out of the system admin
around here's book: the root directory is NFS mounted and on most machines
the root password is invalid (#disabled# which is equivilent to * as neither
# nor * are in the target characters...). I guess host level equivilence is
used for admin functions. This makes it impossible to get root access on
these machines (you have to use a admin machine which could be set up to be
in your locked office and not aceept telnets, etc). Of course holes still
exist but this is coulde be a simple, effective security measure.