Summary
As outlined in CRED-1, if an adversary meets certain conditions, such as having line of sight to a PXE-enabled distribution point, they may be able to PXE boot or retrieve PXE boot media. An option to mitigate such access or attacks is restricting PXE boot to specific VLAN(s). There are two general approaches for configuring this setup:- Deploy the PXE-enabled DP on the authorized VLAN, preventing any traffic originating from other VLANs, and also disabling PXE on DPs within non-authorized VLANs.
- Configure IP helpers to forward DHCP requests from authorized VLANs to the PXE-enabled DP, else ignore PXE requests.
Linked Defensive IDs
- PREVENT-6: Configure a strong PXE boot password
- PREVENT-7: Disable command support in PXE boot configuration
Associated Offensive IDs
References
- Microsoft, Boot From PXE Server
- Reddit, PXE Boot from only one VLAN?