Students using remote access to make others not so happy...

You can go into "Sharing" in System Preferences and change remote management to only allow access for specific users. Add the user you want to have remote access, which will prohibit anyone who isn't specifically allowed.

If you want to script it you can use:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -users short,usernames,seperated,by,commas -access -on -restart -agent -privs -all -allowAccessFor -specifiedUsers

To get the man page on kickstart run:

sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -h

In case its of interest, if the option for remote management is set allow all users, any non-admin user (even AD users) can use Apple Remote Desktop to send unix commands as the root user. Anything from gaining access to other users data, or deleting the entire target hard drive is possible when the Macs are configured with that option.

Definitely worth switching to specified users only!

Apples KB

Would simply changing the vnc port on the machines work?

Why not set up Restricted Software items for both "Screen Sharing" and "Remote Desktop" and make sure to scope them to all student Macs. Be sure to use the restrict exact process name checkbox.
There's no reason they should need either of those applications to work on their systems. When someone remotely connects to a Mac over screen sharing, the Screen Sharing.app usually launches on their system (unless they have a copy of ARD and are using that instead) Blocking both of those should shut the applications down.

It should not interfere with your ability to remote control the Macs, I think. The process that kicks off in the background to control a screen is screensharingd if I'm not mistaken.

I would also go the measure of controlling who can control the screen through the kickstart options as mentioned above though.

Hi there! I'm currently taking the CCT class in Los Angeles, and one of the first things we covered is using Recon to enroll a machine and set up a management account that is hidden from the login window and System Preferences.

You should use a hidden service account, such as casperadmin, set it as the "only" ssh account, and use a policy to block changes to the Sharing panel in System Preferences. This should stop 99% of your student shenanigans.

Definitely a quick fix. You most likely already have a local account with administrative rights, and possibly one that is hidden as well. Make that account the only user setup in Remote Management. Deploy the script provided above via a policy scoped to your pranksters Macs and you're done. Got to admit that is pretty funny though...

Hi Brad. Get back to your class.

As has been pointed out, the ideal way to solve this is by controlling which users can and cannot do remote access and screen sharing. Obscuring the vulnerability does not close it, and you're dealing with children having an abundance of curiosity and time, so somebody will figure out how to address the machines directly.

Yep. I'm in agreement with pretty much everything posted here so far. With that said, I hope that there is some form of disciplinary action for students caught doing this. While it may seem to be a fun joke now, it's a real good way to get fired in the future (Them, not you).