Choosing an Authentication Level

When choosing an authentication level, use the following guideline. If it does not matter whether the data being sent can be intercepted and modified, and the data received can be intercepted or modified, use RPC_C_AUTHN_LEVEL_NONE, which is the default. If the data should not be modified, and private data is not being sent or received, use RPC_C_AUTHN_LEVEL_PKT_INTEGRITY. In all other cases, use RPC_C_AUTHN_LEVEL_PKT_PRIVACY.

Do not use RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_AUTHN_LEVEL_CONNECT, RPC_C_AUTHN_LEVEL_CALL or RPC_C_AUTHN_LEVEL_PKT. A sophisticated attacker can break these authentication levels and render them ineffective. Each of these levels does make it slightly more difficult for an attacker to intercept and modify data, and to impersonate, but security is not really achieved. Since the sophistication level of an attacker is rarely known, these are not wise choices.