Nerdpedes,
have a look at
https://security.stackexchange.com/questions/64915/what-are-the-biggest-security-concerns-on-pxe
Best of:
I can capture a full machine image. Do your systems automatically connect to the domain controller after setting up the machine? If so, this image probably has domain controller credentials on it, that I can capture and use elsewhere.
Computer makes a DHCP request --> DHCP server responds with address and PXE parameters --> Computer downloads boot image using TFTP over UDP
If the good guys got the traffic on that low level, unencrypted. Then they would have it all.
Not the router logs. Routers log very little to nothing locally, they can however send logs to a server that does store logs which can display slice/dice them. What is important and I wish people would understand, is the router CONFIG file. This has the static routing tables, can show where the pxe images were pulled from.
Also to clarify, for pxe usage, the vast majority of the time, DNS, DHCP, and pxe are not all on the same box, nor should they be, that is really bad practice.
yah, the static routing tables would show the IP of the server where the images would held, and the assumption would be on an internal subnet that the router can route directly to.