If your server registers with a security provider, client calls with invalid credentials will not be dispatched. However, calls with no credentials will be dispatched. There are three ways to keep this from happening:
Note If you are using the NT LAN Manager Security Support Provider (by means of the authentication-service constant RPC_C_AUTHN_WINNT), you should be aware that a client whose credentials specify an unknown user name will be given "guest" access permission. If you do not want this behavior, remove the "guest" account from your server.
The NTLMSSP provider also lets your server impersonate the client by calling RpcImpersonateClient. For more information on the NT security model, read Access Control Model.
If you need additional information on how to write a secure server, check with the manufacturer of your security provider.