PXE Boot on laptops - Security concerns?

  • Hello all,

    I’m just getting started with FOG and PXE booting in general. We have a number of desktops and laptops that I would like to configure to be managed through FOG. My concern is about configuring the laptops to have PXE boot as the first item in the boot order. In this state, it seems like it would be fairly simple for them to fall victim to a malicious PXE boot server waiting on a network outside of our building.

    Are these concerns unfounded? Is there any way to address this issue?


  • @Bob-Henderson The sometimes not part - that’s probably a fog client issue. Like encryption reset needing done or bad config or something.

  • We’re a 1:1 windows laptop school. We have local disk as first boot option for this very reason, kids leave the building daily with them.

    For our desktops, we put PXE first so I can WoL them in off hours and image.

    One thing that’s bugging me as a way to manage with fog only is the multiple mac addresses. I register them with the wired NIC, then the wireless nic sometimes shows up in the pending macs, but sometimes not.

  • The laptops go outside of our building daily. Port locks are an interesting option, but limiting the laptops’ connectivity options would likely bite me pretty quickly.

    Having the laptops boot first to local disk is likely the option I will take with the laptops.

    Thanks for the advice!

  • As an admin for a school district, I didn’t much care about the security aspects of enabling network boot as the first item on the laptops - it helped me do my job and the security risks in the environment for PXE were very low.

    If your laptops are going outside of your building, I’d leave the local disk as the first boot item. Another option would be to put port locks into the ethernet ports so they can only use wifi. These locks are pretty cheap.

  • Moderator

    For someone to hack your pxe booting, they would either need to change your settings in dhcp or install a rogue dhcp server on your network or install a dhcp proxy server on your network. All requires physical access to your network.

    If you do not need unattended imaging, you can always leave your default boot device the hard drive. Then when you image you will just have a technician in front of the computer, press F12 during initial boot and select pxe boot from the firmware boot menu. We do this because we want to know for absolute what system we are imaging

  • Senior Developer

    @Amh PXE is definitely an insecure protocol, unfortunately it also so happens to be the standard every machine has. I am working on a new system for Windows machines to boot to FOG without PXE along with secure boot compatibility, but they won’t be available until FOG 2.0.

    The best approach to remain secure is to have some network monitoring software keep an eye out for rouge dhcp/dhcp proxy servers.