2.1.2.1 Server Security Settings
The server interface MUST be identified by the UUID 20610036-fa22-11cf-9823-00a0c911e5df version 1.0. The server MUST specify RPC over SMB as the RPC protocol sequence to the RPC implementation, as specified in [MS-RPCE]. The RASRPC RPC server SHOULD<2> specify "Simple and Protected GSS-API Negotiation Mechanism" (0x09) as the RPC Authentication service, as specified in [MS-RPCE] section 2.2.1.1.7. The RASRPC RPC server SHOULD<3> specify "NT LAN Manager (NTLM)" and "Kerberos" as additional authentication services supported, as specified in [MS-RPCE] section 2.2.1.1.7. The RASRPC RPC server SHOULD<4> support all authentication levels up to RPC_C_AUTHN_LEVEL_PKT_PRIVACY (0x06) to enable clients to use data confidentiality as required. It SHOULD allow clients to connect only with an authentication level of at least RPC_C_AUTHN_LEVEL_CONNECT.<5> Additionally, the RPC server MUST allow only clients that are part of the administrators group on the server.