Why MS namedpipe work this way

[Minchu Mo <morris_minchu () iwon com>]

microsoft namedpipe allows the namedpipe server 
use function ImpersonateNamedPipeClient() to 
assume the security token of namedpipe client, 
which in lots of case is system account. 

MSDN says, "This function can be useful in 
determining whether to grant the request of a pipe 
client. "  This is OK if the client is normal user, but if 
the client is system, as currently existing in many 
Windows service, it can be hijacked by a 
faked/hacking namedpipe server. I seen several 
papers talking about exploit this.

Would it be better to have this function 
ImpersonateNamedPipeClient() work only in case 
when namedpipe server have higher privilidge than 
client.