How to disable single-user boot (command S)
By default, Macs are extremely insecure if somebody can get physical access, as they can simply shut it down, press the power button, hold command-S, and there, they get root access in 5 seconds.
Is there a way to disable the single-user boot mode, or at least password-protect it?
Solution 1:
The best you can do is set a firmware password in hopes that someone won't change the boot options stored in NVRAM or let the keyboard select an alternate software to boot and bypass your administrative passwords.
Older macs use Open Firmware to enforce this password, newer ones use EFI Password to prevent booting into single user mode.
Physical access means with tools, your mac is vulnerable to physically reset the firmware password or remove the drive. To protect there, consider FileVault which encrypts the contents of your disk and requires the correct password regardless of physical access to the mac.
Solution 2:
With complete physical access, all bets are off regarding security of booting. Make sure that the data or user accounts that you care about are encrypted (filevault, et.al.) so that the bits on the disk are more likely useless without a password.