Having remote commands that allow servers and workstations to be rebooted, Windows registry modified, files downloaded, and files executed seems to me a very dangerous tool. It provides a Internet reachable, single console, that could provide a means to download and infect hundreds (thousands?) of machines just by knowing a single admin ID.
I would like a feature that could disable the agent commands (especially advanced) from being executed.
This would be for all administrative classes, including the "super user".
One other thought. Since this feature is built-in to endpoint agents, could someone access our endpoints without going through the console