By default, the Canary Admin allows anonymous access for local users via the 'Net.Pipe' endpoint.

If wishing to restrict local admin access, simply uncheck this box. Before doing so, ensure the desired users/groups are on the 'ALLOW' list on the 'Access' screen as once the change is applied, the user will be prompted to authenticate if they are not on the list.

When a local user opens the admin client it will first attempt to authenticate the logged on user using their Windows credentials. If the local user is on the Access list, they will be granted access and not be prompted for a username/password. If the user is not on the list, a screen will appear prompting them for a username/password. Either one of these endpoints can be disabled from the 'Endpoints' tab shown in the first screen shot.