I have found that if we leave them with little or no obvious security, no one is challenged enough to fool with them. When we start locking them up, people feel challenged to test their hack skills.
We also use keyboard/mouse/monitor extender cables to keep the HMI panel small and put the hardware in a remote, more secure location. Our biggest problem in the past had been people stealing the RAM! But, I don't like locking down the USB and disc ports. All too often some tech (often me) has a legitimate need for them and then it's just counter productive to have it all locked down.
Another best practice that has saved our butts frequently is to use a removable hard drives with a key. That allows quickly restoring the system in the event of a crash (without having to open the case or use any tools), and also wipes out everyone's minesweeper high scores and fresh game installations. We just keep a clone of each drive and keep the backup locked up safely. Only drawback is losing recipe changes (if you use PC based recipe storage) and log files and such. But, if the hard drive crashes, you lose them anyway and need some other backup plan specifically for those files.
JMHO
PC