diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml
index 468827b..916fc57 100644
--- a/roles/common/tasks/Debian.yml
+++ b/roles/common/tasks/Debian.yml
@@ -62,3 +62,9 @@
 - name: Disable hibernation/resume
   copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
   notify: update-initramfs
+
+- name: Prevent normal users from running su
+  lineinfile:
+    path: /etc/pam.d/su
+    regexp: '^# auth       required   pam_wheel.so$'
+    line: 'auth       required   pam_wheel.so'