we're looking to secure access to the core jboss mbeans (and possibly other aspects of the system). specifically, we want to prevent "rogue" access to shutting down the jboss server instance. i believe in the default configuration, once a server has been started, that any user on the network, can issue the shutdown command to the server via the remote mbean interfaces with code such as:
ctx = new InitialContext(); MBeanServerConnection server = (MBeanServerConnection) ctx.lookup("jmx/invoker/RMIAdaptor"); String  outval = null; server.invoke(new ObjectName("jboss.system:type=Server"), "shutdown", new Object, outval);
You can password protect the JNDI. I don't know offhand how to protect a single entry versus just the whole thing, check out the security forum.
As for the console, you can PW protect it or remove it.