You need to undeploy RMI connector, EJB connector etc. There are more than one gateway into the JMX server deployed by default.
I'm trying to put together a little production guide, and this seems to be a point of confusion.
There are several adaptors/connectors in for example 3.2:
Is the purpose of of all these packages solely jmx adminstration? Disabling these will not interfere with EJB functionality?
You can disable all of these without interfering with EJB funtionality.
So basically if you would like to secure JMX access you would use one of the securable ejb connectors/adaptors.
Or do rmi over ssl.