an interesting conumndrum
@ 2 thoughts
yes, you do indeed have to authorise a dhcp server in 2003, but from experience, this doesn't prevent a rogue dhcp server getting in. It just prevents the DHCP server from communicating with Active Directory and the internal DNS (That's how DNS updates its dynamic FQDN list).
We had a rather dumb art teacher in the school I used to work at, and periodically, he would hard reset his mac WAPs, thus re-enabling the built-in DHCP server.
Aside from requiring a damn good slap for throwing money away on Mac WAPs, (I can pay 3 times the going rate for half the features? Where's my wallet?!?!) realistically, rogue DHCP detection is the only practical solution, but quite a job if you have multiple sites.
I'm currently setting up SCCM 2007, which can make extensive use of WOL, and Intels AMT tech for Out Of Bounds management. Basically, it can power on a machine, and gain BIOS level control.
It requires a PKI SSL certificate installing amongst other things due to the security implications, so I'll be interested to see what other traffic security benefits can be gleaned