Bug was initially reported by Ivan Prenosil.
In 2.1 release branch services ignore setting of Authentication parameter in firebird.conf. Therefore any operations, not requiring further DB login (like view firebird.log file, information about FB server, etc.), can be always performed by any valid domain user.
Notice: bug was already fixed in HEAD during generic security cleanup - currently configuration setting Authentication is checked much earlier, in remote listener. And it's not enough to be any user, only admins have rights to perform most of mentioned activities. Therefore mentioned bug is only 2.1 specific.