Kerberos Security

You must restrict and monitor permissions on any Kerberos keytab files you use as part of your Kerberos configuration. Keytab files contain pairs of Kerberos principals and encrypted keys. Any account with read permission on a keytab file can use all of the keys it contains.

Lock down the Kerberos Service's user account. Apply a policy to prevent the Kerberos Service user account from logging in to any machine. This ensures that, should anyone gain access to the keytab file, they cannot use the credentials in that file to login to any computer.

If the file is ever copied, backed up, or distributed, it must never be transmitted across a network or conveyed in any way in an unencrypted form.