SC-100 Online Practice Questions and Answers

Correct Answer:

Box 1: A security PIN

Azure Backup

The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems.

You can reduce your on-premises exposure by moving your organization to a cloud service.

Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a

security PIN before modifying online backups.

Box 2: Encryption by using platform-managed keys

Ensure backup data is encrypted.

By default, backup data at rest is encrypted using platform-managed keys (PMK). For vaulted backups, you can choose to use customer-managed keys (CMK) to own and manage the encryption keys yourself. Additionally, you can configure

encryption on the storage infrastructure using infrastructure-level encryption, which along with CMK encryption provides double encryption of data at rest.

Reference:

https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware

https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq

Correct Answer: AD

A: LT-2: Enable threat detection for Azure identity and access management

Guidance: Azure Active Directory (Azure AD) provides the following user logs, which can be viewed in Azure AD reporting or integrated with Azure Monitor, Microsoft Sentinel, or other SIEM/monitoring tools for more sophisticated monitoring

and analytics use cases:

Sign-ins - The sign-ins report provides information about the usage of managed applications and user sign-in activities.

Audit logs - Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD, like adding or removing users, apps, groups, roles, and

policies.

D: Disable local authentication methods so that your Cosmos DB database accounts exclusively require Azure Active Directory identities for authentication.

Enforcing RBAC as the only authentication method

In situations where you want to force clients to connect to Azure Cosmos DB through RBAC exclusively, you have the option to disable the account's primary/secondary keys. When doing so, any incoming request using either a primary/

secondary key or a resource token will be actively rejected.

Incorrect:

Not C: We use the Azure Active Directory (Azure AD) sign-in logs, not the Azure Cosmos db logs.

Not E: Microsoft Defender for Cosmos DB, though useful from a security perspective, does not help with auditing the users.

Note: Logging and Threat Detection, LT-1: Enable threat detection for Azure resources

Guidance: Use the Microsoft Defender for Cloud built-in threat detection capability and enable Microsoft Defender for your Cosmos DB resources. Microsoft Defender for Cosmos DB provides an additional layer of security intelligence that

detects unusual and potentially harmful attempts to access or exploit your Cosmos DB resources.

Reference: https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cosmos-db-security-baseline https://docs.microsoft.com/en-us/azure/cosmos-db/policy-reference https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#disable-local-auth

Correct Answer: AC

A: When a client acquires an access token to access a protected resource, the client also receives a refresh token. The refresh token is used to obtain new access/refresh token pairs when the current access token expires. Refresh tokens

are also used to acquire extra access tokens for other resources.

Refresh token expiration

Refresh tokens can be revoked at any time, because of timeouts and revocations.

C: Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It uses a combination of endpoint behavioral sensors, cloud

security analytics, and threat intelligence.

The interviewees said that “by implementing Zero Trust architecture, their organizations improved employee experience (EX) and increased productivity.” They also noted, “increased device performance and stability by managing all of their endpoints with Microsoft Endpoint Manager.” This had a bonus effect of reducing the number of agents installed on a user's device, thereby increasing device stability and performance. “For some organizations, this can reduce boot times from 30 minutes to less than a minute,” the study states. Moreover, shifting to Zero Trust moved the burden of security away from users. Implementing single sign-on (SSO), multifactor authentication (MFA), leveraging passwordless authentication, and eliminating VPN clients all further reduced friction and improved user productivity.

Note: Azure AD at the heart of your Zero Trust strategy Azure AD provides critical functionality for your Zero Trust strategy. It enables strong authentication, a point of integration for device security, and the core of your user-centric policies to guarantee least-privileged access. Azure AD's Conditional Access capabilities are the policy decision point for access to resource

Reference: https://www.microsoft.com/security/blog/2022/02/17/4-best-practices-to-implement-a-comprehensive-zero-trust-security-approach/ https://docs.microsoft.com/en-us/azure/active-directory/develop/refresh-tokens

Correct Answer: C

Configure Azure Storage firewalls and virtual networks.

To secure your storage account, you should first configure a rule to deny access to traffic from all networks (including internet traffic) on the public endpoint, by default. Then, you should configure rules that grant access to traffic from specific

VNets. You can also configure rules to grant access to traffic from selected public internet IP address ranges, enabling connections from specific internet or on-premises clients. This configuration enables you to build a secure network

boundary for your applications.

Storage firewall rules apply to the public endpoint of a storage account. You don't need any firewall access rules to allow traffic for private endpoints of a storage account. The process of approving the creation of a private endpoint grants

implicit access to traffic from the subnet that hosts the private endpoint.

Incorrect:

Not B: You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound

network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Not E: A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing

the complexity of frequent updates to network security rules.

Reference: https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security

Correct Answer: A

Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.

Often, organizations have collections of machines that routinely run the same processes. Microsoft Defender for Cloud uses machine learning to analyze the applications running on your machines and create a list of the known-safe software.

Allowlists are based on your specific Azure workloads, and you can further customize the recommendations using the instructions below.

When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.

Incorrect:

Not B: App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of

actions that are prohibited or monitored when the user is inside the app. A managed app is an app that has app protection policies applied to it, and can be managed by Intune.

Not C: Cloud Discovery anomaly detection policy reference. A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded

data, uploaded data, transactions, and users are considered for each cloud application.

Not D: The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. This benchmark is part of a set of holistic security guidance.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls

https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy

https://docs.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-anomaly-detection-policy

https://docs.microsoft.com/en-us/security/benchmark/azure/overview

Correct Answer: A

We need to use customer-managed keys.

Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and

decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

In Azure, the default setting for TDE is that the Database Encryption Key (DEK) is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256.

TDE protector is either a service-managed certificate (service-managed transparent data encryption) or an asymmetric key stored in Azure Key Vault (customer-managed transparent data encryption).

Note: Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our

recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.

This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers endto-end rotation.

Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview

https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

Correct Answer: B

Dynamic application security testing (DAST)

In a classical waterfall development model, security was typically introduced at the last step, right before going to production. One of the most popular security approaches is penetration testing or pen testing. Penetration testing lets a team

look at the application from a black-box security perspective, as in, closest to an attacker mindset.

Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls

https://learn.microsoft.com/en-us/security/benchmark/azure/mcsb-devops-security

Correct Answer: D

Explanation:

If a ransomware attack is detected the affected entity should immediately activate its security incident response plan, which should include measures to isolate the infected computer systems in order to halt propagation of the attack.

Note: Isolate devices from the network

Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities

such as data exfiltration and lateral movement.

Reference:

https://csrc.nist.gov/CSRC/media/Presentations/Ransomware-and-Breach/images-media/ransomware_guidance.pdf

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide#isolate-devices-from-the-network

Correct Answer: A

Correct Answer: D

Explanation:

By default, the Kubernetes API server uses a public IP address and a fully qualified domain name (FQDN). You can limit access to the API server endpoint using authorized IP ranges. You can also create a fully private cluster to limit API

server access to your virtual network.

Reference:

https://learn.microsoft.com/en-us/azure/aks/concepts-security