To secure a Mac workstation, remember the users

Computerworld - Earlier in this series on Macintosh security, I discussed how to physically secure workstations within an infrastructure (see "Workstation security: Lock down that Mac") and how to use the various Open Firmware modes in modern Macs to keep hostile users from bypassing security by booting from an alternate start-up disk (see "Open Firmware Security for Mac Workstations"). I want to continue my discussion of workstation security by describing a number of ways you can configure individual workstations to make their local resources and data (and, thus, your entire infrastructure) more secure.
Securing the data on a workstation means securing user files and folders as well as application folders and operating system components. The goal is to ensure not only that the data that users store on their workstations is safe from prying eyes, but also that any information about your network at large is safe. You also need to maintain the stability and integrity of the workstation so that it can't be hijacked for nefarious purposes.
Some of the tactics here may not be appropriate for every network or every workstation. Some may compromise functionality that you need. Some apply more to Mac OS X Server infrastructures, while others apply more to stand-alone installations. As always, a system administrator's job involves striking a balance between practical user needs and security. Your mileage may vary.
Don't show any user data
Every Mac log-in window, including those in Mac OS X, and Mac OS 9 with multiple users or Mac Manager -- offers you the option of displaying a list where users select their name and then enter their password. This approach is the default for Mac OS X installations. It's graphically attractive, and it can be a major security hole. It displays every user's name to anyone who sits at the workstation. This means that intruders know immediately which usernames are valid; they need only guess someone's password to gain access. Granted, a standard naming scheme may make it easy to guess someone's username, but every step toward security helps. Also, in Open Directory infrastructures, this list is transmitted across the network whenever the log-in Window loads (possibly in clear text), further lessening security. Don't display usernames.
On the same topic, don't use password hints. This isn't an option for directory domain user accounts anyway. But in stand-alone installations, using hints seriously compromises the integrity of passwords. It's far better to make users call the help desk for password resets than it is to take this security risk.
On a related