RpcServerRegisterAuthInfo doesn't deny unauthorized users
When security providers are registered on the server with the RpcServerRegisterAuthInfo function, an authentication option is added; not an authentication requirement. That means that previous registrations with RpcServerRegisterAuthInfo aren't replaced. It also means that an unauthenticated client that could connect before can still connect.
Just calling the RpcServerRegisterAuthInfo function doesn't disallow unauthenticated clients from connecting. If they could connect before, then they can still connect; but function calls such as RpcImpersonateClient and RpcGetAuthorizationContextForClient will fail. So when the RpcServerRegisterAuthInfo function is called, potential attackers have not been weeded out—rather, authorized clients are given a chance to prove their identity. So you must still put in place checks to determine whether potential attackers are attempting to connect.