NetBoot

NetBoot is a technology that allows you to boot a Mac from a disk image on a NetBoot server.

In January 1999, Apple introduced Mac OS X Server and its NetBoot services which enable Power Macintosh and PowerBook models to boot directly from a server rather than a local hard drive.

Mac models that support NetBoot include older models based on the PowerPC processor using Open Firmware &  New World ROM and newer Mac's based on the Intel processor using EFI (Extensible Firmware Interface). See this page for details on support Mac models.

Security

Depending on your environment security and your administrative policies, you can implement multiple security measures for NetBoot.

Enable NetBoot Filtering
Using the Server Admin utility, you can all or deny clients to NetBoot from a client based on its hardware address.

In the Computers & Service, select NetBoot, then select the "Settings" pane at the bottom of the screen, then select "Filters" at the top, then click on "Enable NetBoot/DHCP filtering" and add client hardware addresses you want to allow or deny.

If you have a large environment, and you continually have client modifications, which in turn require you to update the NetBoot Filters hardware addresses. This might be more time consuming than you consider worth the effort. Another option of securing NetBoot is instead of using the NetBoot Filters, is using the Firewall to restrict client IP addresses or subnets and require NetBoot client authentication.

NetBoot Authentication
Again, depending on your environment & administrative policy. You might want require NetBoot to authenticate with a username & password. Then you can limit users from purposely or accidentally NetBoot clients, you could also have a script check if a client has been NetBooted at the login window for X amount of time, then reset the default startup disk and reboot.