The simplest solution is a rule inside the .htaccess of the installation, if it is an Apache server. The following syntax should support you.
Protect the whole access
# PROTECT xmlrpc.php
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
Access for several apps
# ACCESS for xmlrpc surface only for different apps
<IfModule mod_setenvif.c>
<Files xmlrpc.php>
# blogs
BrowserMatch "WordPress" allowed
# poster
BrowserMatch "Poster" allowed
# Windows Livew Writer
BrowserMatch "Windows Live Writer" allowed
# WP 4 iOS
BrowserMatch "wp-iphone" allowed
# WP 4 Android
BrowserMatch "wp-android" allowed
Order Allow,Deny
Deny from All
Allow from env=allowed
</Files>
</IfModule>
Deactivation via Filter
There is also an option to deactivate the functionality about a filter. Copy the following example in a custom plugin and use it. It is also possible to use it as ‘Must Use plugin‘. In your case in a Multisite installation, you should the plugin activates as ‘Network Wide’, about all sites of the network.
add_filter( 'xmlrpc_enabled', '__return_false' );