Lock down some config options

Summary:
This is just a general review of config options, to reduce the amount of damage a rogue administrator (without host access) can do. In particular:

• Fix some typos.
• Lock down some options which would potentially let a rogue administrator do something sketchy.
  • Most of the new locks relate to having them register a new service account, then redirect services to their account. This potentially allows them to read email.
  • Lock down some general disk stuff, which could be troublesome in combination with other vulnerabilities.

Test Plan:

• Read through config options.
• Tried to think about how to do evil things with each one.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D8928