As usual, allow the smallest subset of functionality which still permits legitimate uses. In these cases they're relying on .htaccess files being allowed specific overrides - FileInfo and Options being the most powerful ones.

'AllowOverride AuthConfig Indexes' is generally relatively safe (in my humble experience) - i'd be scared to see an htshell like these with just those.