Disable server-status page
Currently if you go to the SMA site page /server-status (kbox.domain.com/server-status) it will tell you that access is denied due to a lack of permissions. There should be an option to completely disable this page from visibility. This is most important to customers like us who host the appliance externally. Attackers could scan our domain and see that there is an Apache server active at the address and could plan a more focused attack against it.
We only host our appliance externally so that workers with endpoints at home and abroad are able to still be managed by the SMA. We do not allow for external connections to log in to the web console.
Andy Flesner commented
If you host your appliance externally for endpoints only, then you can completely block UI access by utilizing the new external agent listening port in SMA 11.0.
To clarify, we did lock down the server-status page in 10.1, but it will still return a 403 permission denied error. It is not accessible by any UI user, not even administrators.