5.1.2 KDC Security

Because authentication of the administrator is by Kerberos, in this protocol, the KDC must itself be kept secure; that is, free from tampering and free from vulnerabilities that would allow privilege-elevation penetrations.