Skip to content

Latest commit

 

History

History
25 lines (17 loc) · 1.56 KB

prevent-21_description.md

File metadata and controls

25 lines (17 loc) · 1.56 KB

PREVENT-21

Description

Restrict PXE boot to authorized VLANs

Summary

As outlined in CRED-1, if an adversary meets certain conditions, such as having line of sight to a PXE-enabled distribution point, they may be able to PXE boot or retrieve PXE boot media.

An option to mitigate such access or attacks is restricting PXE boot to specific VLAN(s). There are two general approaches for configuring this setup:

  1. Deploy the PXE-enabled DP on the authorized VLAN, preventing any traffic originating from other VLANs, and also disabling PXE on DPs within non-authorized VLANs.
  2. Configure IP helpers to forward DHCP requests from authorized VLANs to the PXE-enabled DP, else ignore PXE requests.

There is another method: DHCP options. Microsoft does not recommend this approach.

Linked Defensive IDs

Associated Offensive IDs

References