[jboss-dev] Default security or localhost

For whatever reason our long standing use of unsecured consoles is now being reported as a security hole. To address this, either we need to bind to localhost by default or secure the consoles with a user that has no access. The latter requires a post install change to add a valid role or remove the security settings. We can't go with a default admin/admin password. The localhost approach would allow testsuites to continue to work as they currently do and is probably the least intrusive change. Any other opinions or options?