Disable Root Account

You hardly (if ever) need the root password if you log in with a normal account and use sudo to alleviate your permissions. Hence, it is a good measure to disable someone from logging in as root.

A few solutions exist to lock down the root account.

Disable Remote Access
In /etc/ssh/sshd_config set the PermitRootLogin setting to no: PermitRootLogin no

Disable Password
Notes:
 * Even if the password is disabled, users can still gain access to the account with other authentication methods, like public key. To disable all account logins, set the expiration date.

To lock the root password: sudo passwd -l root    # on Linux or sudo usermod -L root or sudo pw lock root      # on FreeBSD

To unlock the root the password: sudo passwd -u root    # on Linux or sudo pw unlock root      # on FreeBSD

You can check if an account is locked by examing the /etc/shadow password file. If it is locked, the password starts with an exclamation mark: root:!$1$DU4xW/VH$EnmLXpf3vNW3zfvcCNZRb0:14358:0:99999:7::0:
 * 1) grep root /etc/shadow         # on Linux

root:*LOCKED*$1$DU4xW/VH$EnmLXpf3vNW3zfvcCNZRb0:0:0::0:0:Charlie &:/root:/bin/csh
 * 1) grep root /etc/master.passwd       # on FreeBSD

Set account expiration date
Notes:
 * Setting the expiration date to 0 prevent cron jobs that run as root to run.

Disable account login by setting the expiration date to 0: chage -E 0 root

To enable the root account, set it back to -1: chage -E -1 root

To display the account expiration date, use the -l option: chage -l root

Use PAM
I'm certain that a more advanced method exists to lock down the root account by using the Pluggable Authentication Modules (PAM), but I'm unfortunately not a PAM-expert.

Rename User (Not recommended)
It is possible to remove the "root" user, and create a super user with a different name (e.g. a user 'radicle' with uid=0 and gid=0).

Notes:
 * I do not consider this secure as it mostly security-through-obscurity
 * It is inconvenient: some scripts have a habit of sending errors to root (so you need either a mail alias or change these scripts) and some cron jobs and startup scripts are specified to run as user 'root' (you need to adjust these).

Disable Shell login (Not recommended)
Another solution is to set the login shell of root to /bin/false instead of /bin/sh or /bin/bash.

Notes:
 * This is not secure. An attacker can still connect via ssh to initiate a tunnel (with ssh -L) and use it as a means to bypass your firewall.
 * It is inconvenient: This method prevents single user login, although it can easily be overridden by setting the shell with a boot parameter. E.g. kernel /boot/vmlinuz-2.6 root=/dev/sda1 rw single shell=/bin/bash or even kernel /boot/vmlinuz-2.6 root=/dev/sda1 rw init=/bin/bash</tt>.

Problems
Debian and Ubuntu contains a bug were the  (and  ?) tools print an error when creating a new user while the root password is locked or expired. The typical error message looks like this:

... Creating/updating amavis user account... Your account has expired; please contact your system administrator chfn: PAM authentication failed adduser: `/usr/bin/chfn -f AMaViS system user amavis' returned error code 1. Exiting.
 * 1) apt-get install amavisd-new

In reality, the new account is created just fine. However, if the account was created as part of a installation procedure, the installation may have been aborted. I recommend to temporary remove the password lock and try again.

In this case: apt-get remove --purge amavisd-new chage -E -1 root apt-get install amavisd-new chage -E 0 root