Understanding Security Considerations for the PXE Boot Process in Windows HPC Server 2008 R2
Updated: October 7, 2010
Applies To: Windows HPC Server 2008 R2
When reviewing security in your installation, it is important to review the use of Pre-Boot Execution Environment (PXE) boot requests to deploy compute nodes. The PXE architecture presents some security risks that are inherent in PXE because of its design. PXE is an industry standard, so any remote-deployment method that uses PXE carries the same risks.
When compute nodes are deployed through PXE requests to the head node, there is the potential that an attacker could use a PXE request to deploy a compute node that the attacker controls. Then the attacker could potentially use that compute node to obtain information or to cause damage to your network. An attacker might also attempt to place an unauthorized (rogue) PXE server on your network, or otherwise use the PXE boot process as an entry point for an attack.
Use the following methods to mitigate risks associated with using the PXE boot process in your installation:
Restrict physical access to your networks, especially network segments in which compute nodes will send PXE requests to the head node, and monitor the networks to detect unauthorized computers. This is part of using defense in depth.
Connect network cables carefully if you are using multiple networks (for example, enterprise, private, and application networks). Ensure that the network cable for one network is not crossed with the cable for another.
Whenever you have new offline compute nodes that need to be brought online, review the list of offline nodes carefully. A new compute node that has just been added stays in the list of offline nodes until an HPC cluster administrator brings it online, and this includes any new compute node that an attacker might attempt to deploy through the PXE boot process. For more information about viewing offline nodes, see Section 5.4, "Monitor deployment progress" in Step 5: Add Nodes to the Cluster (http://go.microsoft.com/fwlink/?LinkId=201561) in the Design and Deployment Guide for Windows HPC Server 2008 R2.
As part of using PXE in a network setting where other types of servers might also use PXE, we also recommend that you allow Windows HPC Server 2008 R2 to handle PXE boot settings in the default manner. The default in Windows HPC Server 2008 R2 is to respond only to PXE requests that come from existing compute nodes. Even with this default, you can still use the Add Node Wizard to add nodes from bare metal, because the wizard temporarily changes the setting when you run it, and provides you with the option to choose whether to return to the default setting when the wizard completes. Returning to the default setting means that the head node will once again respond only to PXE requests that come from existing compute nodes (and not from any other type of server in your network). For more information about the Add Node Wizard, see Step 5: Add Nodes to the Cluster (http://go.microsoft.com/fwlink/?LinkId=201561) in the Design and Deployment Guide for Windows HPC Server 2008 R2.
To review the PXE boot setting on the head node, or to configure the setting manually, see Control the Way the Head Node Responds to PXE Boot Requests in HPC Server 2008 R2.
Monitor Event Viewer for messages that indicate the presence of an unauthorized (rogue) DHCP server on the network. This can also help you to prevent a rogue PXE server from operating on the network.
DHCP Server Rogue Detection (http://go.microsoft.com/fwlink/?LinkId=201678)
Rogue Detection (http://go.microsoft.com/fwlink/?LinkId=201679)
Security Considerations for Deploying Compute Nodes in Windows HPC Server 2008 R2
Checklist of Security Settings That Can Be Tightened with Windows HPC Server 2008 R2