OK. So I can prevent remote systems from logging in as root by uncommenting the CONSOLE entry /etc/default/login.
BUT, is there a way to stop su - (when already logged in as own user)?
The way we do it is to set up sudoers so users who need access can do sudo su -
Yes, so your question is?
By default:
Without privilege, a normal user cannot use the su command to become another user - unless that normal user has the password to the other account. If that is not true then something is seriously wrong with your security setup. With Solaris 10 & 11 RBAC it would, in theory, be possible to set up this scenario - but do not do that. On Solaris 11 you can create a root role, for example then give that role to everyone on the system. Bad idea.