For USB Ports I would suggest editing BIOS of systems with password protection and disable booting through USB, this way the USB will operate, but cant boot hacksaws etc.
Then to hide the CD Rom Boot set it to the lowest of the order of initialization at boot Hard Drive Before CD-Rom so that the Hard Drive Kicks in and it never gets to the CD-Drive as a boot device.
Just be sure to set the password to something not easy to figure out, but also not to lose it. Only way to get back in if you forget the BIOS password is to open the case and press a CMOS button to clear BIOS back to default. Students who are given access to these computers and if the computers are not supervised and cases available to be opened can also reset this button inside the case and get into the BIOS. Most students would not go this far as to opening the case. Some builds come with case locks to prevent intrusion to the inside of a computer requiring a key to unlock to be able to remove panels etc.
Good luck running the IT Department for your School