Is it possible to put password-protect the console port or disable it?
I'm not sure which OS version this was introduced but the option is on the console port with version 7.1.
Please choose from among the following options:
1. Network Settings and Tools
2. Create admin username and password
3. Display log/status
4. System Operations
5. Toggle password protection for the console (Off)
6. Create a Super Admin session.
7. System Snapshot
8. Reset allowed encryption strength for SSL
You wouldn't want to disable the console port even if you could. And, if you set a password, make sure you remember it!
The console is the last-resort way to manage the device. I've certainly had cases where the only control I had over the device was via the console, when the GUI was nonfunctional. I've also had situations where I've absolutely needed to get on the console to recover a device by rolling back from the current version. If you set a console password, and don't know it, you will end up with a very expensive brick. (I assume Juniper has a way to recover a device even in that circumstance, but I wouldn't be surprised if it didn't involve returning the device to them.)
So, if you are installing a device in an unsecured environment and concerned about tampering, set a console password. Also, you might want to check to see if a syslog message is generated when an admin logs on through the console, and trap that syslog message with some sort of syslog postprocessor like Splunk.