You can change the /etc/securetty (spelling?) file to determine how root can log in. I disallow all root logins. I am the only admin, and I still require myself to su to root. If, by some chance, someone somehow gets the root password, they can't login directly, and the su would be noticeable. Especially since none of the users here know how to use *nix.

Also, by forcing myself to su, it guarantees that I want to be root. I actually have to login twice to do something, so I force myself to think about what I am doing before I really screw something up.