diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index fb8b0229c1d..79570fc2571 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -188,6 +188,20 @@ in
       options = [ groupOpts ];
     };
 
+    security.initialRootPassword = mkOption {
+      type = types.str;
+      default = "";
+      example = "!";
+      description = ''
+        The (hashed) password for the root account set on initial
+        installation.  The empty string denotes that root can login
+        locally without a password (but not via remote services such
+        as SSH, or indirectly via <command>su</command> or
+        <command>sudo</command>).  The string <literal>!</literal>
+        prevents root from logging in using a password.
+      '';
+    };
+
   };
 
 
@@ -240,7 +254,7 @@ in
             # Can't use useradd, since it complains that it doesn't know us
             # (bootstrap problem!).
             echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
-            echo "root::::::::" >> /etc/shadow
+            echo "root:${config.security.initialRootPassword}:::::::" >> /etc/shadow
         fi
       '';
 
diff --git a/nixos/modules/virtualisation/amazon-image.nix b/nixos/modules/virtualisation/amazon-image.nix
index cfc582170e6..abd2a1084bd 100644
--- a/nixos/modules/virtualisation/amazon-image.nix
+++ b/nixos/modules/virtualisation/amazon-image.nix
@@ -160,4 +160,9 @@ with pkgs.lib;
   environment.systemPackages = [ pkgs.cryptsetup ];
 
   boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
+
+  # Prevent logging in as root without a password.  This doesn't really matter,
+  # since the only PAM services that allow logging in with a null
+  # password are local ones that are inaccessible on EC2 machines.
+  security.initialRootPassword = "!";
 }
diff --git a/nixos/modules/virtualisation/virtualbox-image.nix b/nixos/modules/virtualisation/virtualbox-image.nix
index beed36b6a51..71bdf31a98d 100644
--- a/nixos/modules/virtualisation/virtualbox-image.nix
+++ b/nixos/modules/virtualisation/virtualbox-image.nix
@@ -107,4 +107,9 @@ with pkgs.lib;
   boot.loader.grub.device = "/dev/sda";
 
   services.virtualbox.enable = true;
+
+  # Prevent logging in as root without a password.  For NixOps, we
+  # don't need this because the user can login via SSH, and for the
+  # demo images, there is a demo user account that can sudo to root.
+  security.initialRootPassword = "!";
 }