Access control takes two forms: physical and logical. The purpose of physical security is to deny an intruder easy physical access to critical infrastructure or sensitive data. Note I didn't say prevent. A determined intruder will find a way around fences, motion sensors, locks, etc. The intent of a good physical security design is to raise the level of effort needed to reach a target higher than the target's value. If that isn't reasonable or appropriate, then the controls should detect and delay intrusion so the intruder can be apprehended.
Unless all sensitive information on a physically compromised system is encrypted, a skilled intruder who can actually put his or her hands on the device will get your data. For more information on physical security planning and design, see Overview of Physical Security.
Logical access control limits who or what (the subject) can access an information asset (the object). A subject can be a person, an application, a process, etc. For desktop systems, the most important control is taking local administrator control away from your users. Employees logging on to their computers with full access are conduits through which attackers can install malware, retrieve sensitive information, or simply take control of one or more desktops for later use (i.e., enlist them in a botnet). So never leave the local administrator account password blank, give the account a strong password, and let only a limited number of support staff know what it is.
We'll look at logical controls in more detail when we discuss overall network access.