People do this for kiosks (unattended, public use) all the time. It's a good solution for some things.
It's easier to enforce a security policy on well-managed PCs which turn off various ports in software (AND DISABLE AUTORUN!), vs. trying to physically disable them, but DoD also had people go around and epoxy USB ports, or at the very least put foil seals on them. There are problems with this, like the usb cd-rom token things, and the attack mouse.
One of the few areas of IT security the DoD gets right is physical protection of infrastructure (relatively). Unfortunately, it's usually basically a strong shell with a gooey inside of software/networks, and with big pipes bringing lots of stuff in and out of the shell constantly. Once something bad gets in, it's kind of too late.
There's a lot of awesome new Intel stuff to make PC hardware potentially more secure -- secure boot, CPU features, memory protection, etc. Combined with the right OS, you could go a long way. Unfortunately a lot of people are also against this technology because it has been used for Digital Rights Management (DRM) anti-piracy, other privacy violations, etc. I was really against it for those reasons, but have come to think it would on the whole be a net win for society to have more secure IT, even if not being able to break it so easily means some people can use computers for bad things.
on the topic of disabling autorun, there was a patch earlier this year to disable autorun on non-shiny media by default in XP and Vista (it's already turned off in 7.)
It's easier to enforce a security policy on well-managed PCs which turn off various ports in software (AND DISABLE AUTORUN!), vs. trying to physically disable them, but DoD also had people go around and epoxy USB ports, or at the very least put foil seals on them. There are problems with this, like the usb cd-rom token things, and the attack mouse.
One of the few areas of IT security the DoD gets right is physical protection of infrastructure (relatively). Unfortunately, it's usually basically a strong shell with a gooey inside of software/networks, and with big pipes bringing lots of stuff in and out of the shell constantly. Once something bad gets in, it's kind of too late.
There's a lot of awesome new Intel stuff to make PC hardware potentially more secure -- secure boot, CPU features, memory protection, etc. Combined with the right OS, you could go a long way. Unfortunately a lot of people are also against this technology because it has been used for Digital Rights Management (DRM) anti-piracy, other privacy violations, etc. I was really against it for those reasons, but have come to think it would on the whole be a net win for society to have more secure IT, even if not being able to break it so easily means some people can use computers for bad things.