prevent reset password on centos

You can protect single user mode in boot loader level.
It's from wiki.centos.org
For directions on protecting grub, see BIOS and Boot Loader Security. To require root's password for single user mode, you can use:

echo "# Require the root pw when booting into single user mode" >> /etc/inittab
echo "~~:S:wait:/sbin/sulogin" >> /etc/inittab
echo "Don't allow any nut to kill the server"
perl -npe 's/ca::ctrlaltdel:\/sbin\/shutdown/#ca::ctrlaltdel:\/sbin\/shutdown/' -i /etc/inittab

You must secure booting from other devices like dvd/usb in BIOS, and secure BIOS editing by password. That's all I can think of.

I assume that you have GRUB (boot loader) installed.

This boot loader can be password secured in a way that users which do not know this password are prevented from access to Single User Mode and also from booting into an insecure OS (dual boot).

Chapter 47.1.2.2 of the RedHat Deployment Guide:

https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-sec-network.html#ch-wstation

has detailed info on this. In chapter 47.1.2.1 there are instructions how to secure the BIOS so that booting from external media is prevented.

wmp

Make sure there is no physical access to the machine: if there is, you'll have to go with some fairly extreme measures to keep someone from tampering with the system.  Assuming that you're the only one with physical access to the machine (or at least this other person has no access to it):

Remove all capability of remotely logging into the system by stopping some services.  Use

netstat -at

Select allOpen in new window

to determine what ports are open (look for things like "*:ssh" for services that are listening for connections).  Hopefully you don't have anything like telnet or simple (insecure) FTP running.  Be sure to check the SSH configuration (usually in /etc/ssh/sshd_config) to make sure nobody can login directly as root... if you do this currently, stop, instead look at "sudo".