Attack: enter sudo reboot in a console window
Defense: disallow sudo and su

Attack: Remove and re-insert the power cord
Defense: Tamper-resistant power cabling (no socket in back of PC, no socket in wall)

Attack: Use Alt+SysRq+R+S+E+I+U+B to reboot the computer without needing to be root
Defense: Put echo 0 > /proc/sys/kernel/sysrq in /etc/rc.local to disable Magic SysRq keys

and so on
aanndd ssoo oonn
aaaannnndddd ssssoooo oooonnnn

Well the first one (sudo) just a good password and not being in the sudo users group would prevent that. Besides, you could block Konsole and re-direct crtl-alt-fX or close the ttys.

I'm going to drag this out until your head explodes...

Attack: Attach a FireWire device (if the computer has a port) -- unlike USB, FireWire does direct memory access and can take control of the hardware
Defense: Disable FireWire in firmware settings or blacklist the kernel module

Attack: Press Alt+F2 and enter dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart
Defense: Disable KRunner, or the ability to (1) run commands and (2) change the KRunner configuration

We could keep going

The overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.

Preach!

I will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.

I am no expert but it seems like a simplistic solution to just pop in a CD or USB and boot the machine.

If one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.

Yep, that's about the only way to accomplish the goals, but the tradeoff is a severe reduction in utility. No offline work can be done, for example.

But this alone won't prevent someone from shrinking the partitions on the computer's hard drive and installing an operating system on it.

There are really only two solutions here:
1. Remote desktop, as Snowhog writes.
2. Hardware-based attestation and root-of-trust using a TPM, as I described in post #14.

So it boils down to what you said Steve, you need some avenue of trust with your employees. I am glad Frank and I run a relaxed working atmosphere at the clinic. We don't bark at our staff for playing games at work. For example, Cindy is working the front desk and I can see that between patients she is on Facebook or playing a game. I really could care less as long as it relaxes her and she can get her work done. I really don't need a crab ass greeting people at the front. lol

I would never expect anyone to work in an environment that cannot trust each other to do their job. At lunch we usually stay in and order takeout, so a lot of us like to jump on a game. I hit Kongregate or something like that at lunch. BTW I almost forgot. We are running Linux in the office now, Frank and I set all the office PCs up to use it. A few people came in last month and was thinking they would have to relearn. But we have everything set up and no complaints. Best of all, zero downtime so far. However I lost out on installing Kubuntu, Frank convinced me that Debian with the Gnome GUI (I think) is more Windows user friendly to assimilate. But you guys know I am still loyal to my Kubuntu as my employees and coworkers are loyal to me.

GNOME Shell (in GNOME 3.x) is about as opposite from Windows as you can imagine. Are you sure the DE that Frank picked is that one? The older GNOME 2.x is sort of Windowsish, but it is no longer under maintenance.

TBH, if the goal is to replicate a Windows experience, KDE is the best choice.

Oh, and hello from AA 2411 at 39,000 feet, enroute DFW to SFO! Yes, I'm posting this purely because I can Ain't technology grand?

I can't see you. Open the door and "wave".

When I did that, my gin tonic flew out the door! Such a waste.

I am getting ready to head for work, but here is the info Frank gave me.

Linux Debian 6.0.9
Kernel 2.6.32-5-686
Gnome 2.30.2

Now before you go telling me we could do better, I doubt even one machine in the office has a dual core or more. In fact, I seem to recall the best machine we got donated to us was an Intel 32 2Ghz with 1GB or so of RAM. But it is not like we spent any of our funding on this, the university gave us bonus points for that small feat alone. Frank and I feel this is a victory. It works and that is what really matters eh? Money well not spent.

Hi again! It's sooooo coooold up here.

Forgive me, I'm having an imagination failure. Probably because I wasn't around in the old school days

What exactly is a client terminal & monitor? I'd imagined them as really low powered PCs that can SSH to the server, but based on your description that can't be right! What's the physical connection between it and the server?