SC-100 Online Practice Questions and Answers

Correct Answer:

Box 1: Microsoft Defender for IoT

Microsoft Defender for IoT is a unified security solution for identifying IoT and OT devices, vulnerabilities, and threats and managing them through a central interface.

Azure IoT Edge provides powerful capabilities to manage and perform business workflows at the edge. The key part that IoT Edge plays in IoT environments make it particularly attractive for malicious actors.

Defender for IoT azureiotsecurity provides a comprehensive security solution for your IoT Edge devices. Defender for IoT module collects, aggregates and analyzes raw security data from your Operating System and container system into

actionable security recommendations and alerts.

Box 2: Microsoft Defender for Cloud and Azure Arc

Microsoft Defender for Cloud provides the following features in the CSPM (Cloud Security Posture Management) category in the multi-cloud scenario for AWS. Take into account that some of them require Defender plan to be enabled (such

as Regulatory Compliance):

*

Detection of security misconfigurations

*

Single view showing Security Center recommendations and AWS Security Hub findings

*

Incorporation of AWS resources into Security Center's secure score calculations

*

Regulatory compliance assessments of AWS resources

Security Center uses Azure Arc to deploy the Log Analytics agent to AWS instances.

Incorrect: AWS EC2 Microsoft Defender for Cloud Apps Amazon Web Services is an IaaS provider that enables your organization to host and manage their entire workloads in the cloud. Along with the benefits of leveraging infrastructure in the cloud, your organization's most critical assets may be exposed to threats. Exposed assets include storage instances with potentially sensitive information, compute resources that operate some of your most critical applications, ports, and virtual private networks that enable access to your organization.

Connecting AWS to Defender for Cloud Apps helps you secure your assets and detect potential threats by monitoring administrative and sign-in activities, notifying on possible brute force attacks, malicious use of a privileged user account, unusual deletions of VMs, and publicly exposed storage buckets.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-iot/device-builders/security-edge-architecture https://samilamppu.com/2021/11/04/multi-cloud-security-posture-management-in-microsoft-defender-for-cloud/

Correct Answer:

Box 1: A security PIN

Azure Backup

The best way to prevent falling victim to ransomware is to implement preventive measures and have tools that protect your organization from every step that attackers take to infiltrate your systems.

You can reduce your on-premises exposure by moving your organization to a cloud service.

Checks have been added to make sure only valid users can perform various operations. These include adding an extra layer of authentication. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a

security PIN before modifying online backups.

Box 2: Encryption by using platform-managed keys

Ensure backup data is encrypted.

By default, backup data at rest is encrypted using platform-managed keys (PMK). For vaulted backups, you can choose to use customer-managed keys (CMK) to own and manage the encryption keys yourself. Additionally, you can configure

encryption on the storage infrastructure using infrastructure-level encryption, which along with CMK encryption provides double encryption of data at rest.

Reference:

https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware

https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq

Correct Answer:

Box 1: Groups and sites SharePoint online handles sites.

Azure Active Directory (Azure AD) supports applying sensitivity labels published by the Microsoft Purview compliance portal to Microsoft 365 groups. Sensitivity labels apply to group across services like Outlook, Microsoft Teams, and SharePoint.

Box 2: Schematized data assets Label travels with the data: The sensitivity labels created in Microsoft Purview Information Protection can also be extended to the Microsoft Purview Data Map, SharePoint, Teams, Power BI, and SQL. When you apply a label on an office document and then scan it into the Microsoft Purview Data Map, the label will be applied to the data asset.

After you enable and configure sensitivity labels for containers, users can additionally see and apply sensitivity labels to Microsoft team sites, Microsoft 365 groups, and SharePoint sites.

Box 3: Files and emails

Exchange Online handles files and emails.

Reference: https://docs.microsoft.com/en-us/azure/purview/create-sensitivity-label

https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-assign-sensitivity-labels

Correct Answer:

Box 1: Microsoft Defender for servers

Scenario: Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.

Defender for Servers is one of the enhanced security features available in Microsoft Defender for Cloud. You can use it to add threat detection and advanced defenses to your Windows and Linux machines that exist in hybrid and multicloud

environments.

Available Defender for Server plans

Defender for Servers offers you a choice between two paid plans.

Both include automatic onboarding for resources in Azure, AWS, GCP.

Plan 1 includes the following benefits:

Automatic onboarding for resources in Azure, AWS, GCP

Microsoft threat and vulnerability management

Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal

A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with Microsoft Defender for Cloud.

Plan 2 includes everything in Plan 1 plus some additional benefits.

Box 2: Microsoft Sentinel

Scenario: AWS Requirements

Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:

Ensure that the security administrators can query AWS service logs directly from the Azure environment.

Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.

Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS

by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction

https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws

https://docs.microsoft.com/en-us/azure/sentinel/connect-aws

Correct Answer: B

Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network. Enterprise applications such as email, customer relationship managers (CRMs), and Human Resources (HR) software can use LDAP to authenticate, access, and find information.

Azure Active Directory (Azure AD) supports this pattern via Azure AD Domain Services (AD DS). It allows organizations that are adopting a cloud-first strategy to modernize their environment by moving off their on-premises LDAP resources

to the cloud. The immediate benefits will be:

Integrated with Azure AD. Additions of users and groups, or attribute changes to their objects are automatically synchronized from your Azure AD tenant to AD DS. Changes to objects in on-premises Active Directory are synchronized to

Azure AD, and then to AD DS.

Simplify operations. Reduces the need to manually keep and patch on-premises infrastructures. Reliable. You get managed, highly available services Reference: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-ldap

Correct Answer: D

Microsoft Security Compliance Toolkit 1.0, Policy Analyzer.

The Policy Analyzer is a utility for analyzing and comparing sets of Group Policy Objects (GPOs). Its main features include:

Highlight when a set of Group Policies has redundant settings or internal inconsistencies.

Highlight the differences between versions or sets of Group Policies.

Compare GPOs against current local policy and local registry settings

Export results to a Microsoft Excel spreadsheet

Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a

baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set.

Note: The Security Compliance Toolkit (SCT) is a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft

products.

The SCT enables administrators to effectively manage their enterprise's Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit

them, store them in GPO backup file format, and apply them broadly through Active Directory or individually through local policy.

Security Compliance Toolkit Tools:

Policy Analyzer

Local Group Policy Object (LGPO)

Set Object Security

GPO to Policy Rules

Incorrect:

Not B: Local Group Policy Object (LGPO)

What is the Local Group Policy Object (LGPO) tool?

LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-

domain-joined systems. LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. It can export local policy to a GPO

backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.

Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10

Correct Answer: A

We need to use customer-managed keys.

Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and

decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

In Azure, the default setting for TDE is that the Database Encryption Key (DEK) is protected by a built-in server certificate. The built-in server certificate is unique for each server and the encryption algorithm used is AES 256.

TDE protector is either a service-managed certificate (service-managed transparent data encryption) or an asymmetric key stored in Azure Key Vault (customer-managed transparent data encryption).

Note: Automated key rotation in Key Vault allows users to configure Key Vault to automatically generate a new key version at a specified frequency. You can use rotation policy to configure rotation for each individual key. Our

recommendation is to rotate encryption keys at least every two years to meet cryptographic best practices.

This feature enables end-to-end zero-touch rotation for encryption at rest for Azure services with customer-managed key (CMK) stored in Azure Key Vault. Please refer to specific Azure service documentation to see if the service covers endto-end rotation.

Reference: https://docs.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-tde-overview

https://docs.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation

Correct Answer: AB

This question is to increase secure score. Here is a long reference page from Microsoft of security recommendations that can increase your secure score. Sentinel and PIM are not on it. The explanation makes a great point about alerts not being preventive, which is a key aspect of the required solution.

https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls

Correct Answer: C

Explanation:

Use adaptive application controls to reduce your machines' attack surfaces

Adaptive application controls are an intelligent and automated solution for defining allowlists of known-safe applications for your machines.

When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.

Incorrect:

Not A: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are

considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.

Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/adaptive-application-controls

Correct Answer: B

Explanation:

Windows Defender Application Control is designed to protect devices against malware and other untrusted software. It prevents malicious code from running by ensuring that only approved code, that you know, can be run.

Application Control is a software-based security layer that enforces an explicit list of software that is allowed to run on a PC.

Incorrect:

Not C: A Cloud Discovery anomaly detection policy enables you to set up and configure continuous monitoring of unusual increases in cloud application usage. Increases in downloaded data, uploaded data, transactions, and users are

considered for each cloud application. Each increase is compared to the normal usage pattern of the application as learned from past usage. The most extreme increases trigger security alerts.

Reference:

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager