Restrict PXE boot to authorized VLANs
As outlined in CRED-1, if an adversary meets certain conditions, such as having line of sight to a PXE-enabled distribution point, they may be able to PXE boot or retrieve PXE boot media.
An option to mitigate such access or attacks is restricting PXE boot to specific VLAN(s). There are two general approaches for configuring this setup:
- Deploy the PXE-enabled DP on the authorized VLAN, preventing any traffic originating from other VLANs, and also disabling PXE on DPs within non-authorized VLANs.
- Configure IP helpers to forward DHCP requests from authorized VLANs to the PXE-enabled DP, else ignore PXE requests.
There is another method: DHCP options. Microsoft does not recommend this approach.
- PREVENT-6: Configure a strong PXE boot password
- PREVENT-7: Disable command support in PXE boot configuration
- Microsoft, Boot From PXE Server
- Reddit, PXE Boot from only one VLAN?