Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-801

Free Microsoft AZ-801 Exam Questions (page: 6)

Page 6 of 36
PDF with 280 Questions

DRAG DROP (Drag and Drop is not supported)

You have an Azure subscription that contains an Azure key vault named Vault1.

You plan to deploy a virtual machine named VM1 that will run Windows Server.

You need to enable encryption at host for VM1. The solution must use customer-managed keys.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Step 1: Enable a system-assigned managed identity on VM1.
You can use customer-managed keys to encrypt your disk caches. Setting up customer-managed keys for your disks requires you to create resources in a particular order, if you're doing it for the first time. First, you'll need to create and set up an Azure Key Vault.

Step 2: Assign the Virtual Machine Contributor role to the system-assigned managed identity of VM1.

Add an Azure RBAC role
Now that you've created the Azure key vault and a key, you must add an Azure RBAC role, so you can use your Azure key vault with your disk encryption set.

1. Select Access control (IAM) and add a role.
2. Add either the Key Vault Administrator, Owner, or Contributor roles.

Step 3: Create a disk encryption set and generate RSA keys


Reference:

https://learn.microsoft.com/en-us/azure/virtual-machines/disks-enable-host-based-encryption-portal



HOTSPOT (Drag and Drop is not supported)

Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains three servers named Server1, Server2, and Server3 that run Windows Server. All the servers are on the same network and have network connectivity.

On Server1, Windows Defender Firewall has a connection security rule that has the following settings:

Rule Type: Server-to-server

Endpoint 1: Any IP address

Endpoint 2: Any IP address

Requirements

: Require authentication for inbound connections and request authentication for outbound connections
Authentication Method: Computer (Kerberos V5)

Profile: Domain, Private, Public

Name: Rule1

Server2 has no connection security rules.

On Server3, Windows Defender Firewall has a connection security rule that has the following settings:

Rule Type: Server-to-server

Endpoint 1: Any IP address

Endpoint 2: Any IP address

Requirements

: Request authentication for inbound and outbound connections

Authentication Method: Computer (Kerberos V5)

Profile: Domain, Private, Public

Name: Rule1

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: No
On Server1 we see: request authentication for outbound connections Server2 has no connection security rules.
Authentication will not be required.

Box 2: Yes
Server2 has no connection security rules.

Server3 has request authentication for inbound.
A connection can be established.

Box 3: Yes
Server3 has request authentication for outbound connections.
Server1 require authentication for inbound connections.
Authentication will be required. The connection will be encrypted with Computer (Kerberos V5).


Reference:

https://www.sciencedirect.com/topics/computer-science/connection-security-rule



Your network contains an Active Directory Domain Services (AD DS) forest. The forest functional level is Windows Server 2012 R2. The forest contains the domains shown in the following table.



You create a user named Admin1.

You need to ensure that Admin1 can add a new domain controller that runs Windows Server 2022 to the east.contoso.com domain. The solution must follow the principle of least privilege.

To which groups should you add Admin1?

  1. EAST\Domain Admins only
  2. CONTOSO\Enterprise Admins only
  3. CONTOSO\Schema Admins and EAST\Domain Admins
  4. CONTOSO\Enterprise Admins and CONTOSO\Schema Admins

Answer(s): A

Explanation:

Domain Admins is the AD group that most people think of when discussing Active Directory administration. This group has full admin rights by default on all domain-joined servers and workstations, Domain Controllers, and Active Directory. It gains admin rights on domain-joined computers since when these systems are joined to AD, the Domain Admins group is added to the computer's Administrators group.
Incorrect:
Not C: Members of the Schema Admins group are allowed to make changes to the schema. The schema is the underlying definition of all objects and attributes that make up the forest. Membership in the Schema Admins group is not required for any purpose beyond making schema changes.
Not B, Not D: What is higher than domain admin?
"The enterprise admin... has more authority than domain admins... and has rights across the entire forest." An enterprise admin has full control over the entire forest and can do anything that would affect multiple domains, like linking group policies to a site that can span domain boundaries.


Reference:

https://adsecurity.org/?p=3700



You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains the resources shown in the following table.



Sub1 has Microsoft Defender for Servers enabled. You are assigned the Contributor role for Sub1.

You need to implement just-in-time (JIT) VM access for VM1.

What should you do first?

  1. Create a network security group (NSG).
  2. Enable enhanced security in Microsoft Defender for Cloud.
  3. Request the Owner role for Sub1.
  4. Create an application security group.

Answer(s): A



HOTSPOT (Drag and Drop is not supported)

Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains an organizational unit (OU) named OU1. OU1 contains servers that run sensitive workloads.

You plan to add connection security rules that meet the following requirements:

The servers in OU1 must only accept connections from domain-joined

The servers in OU1 must only be able to communicate with domain-joined

You create a Group Policy Object (GPO) named GPO1 and link GPO1 to contoso.com.

You need to configure a connection security rule in GPO1 by using Windows Defender Firewall with Advanced Security.

How should you configure the rule? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:





Box 1: Isolation
Rule Type

There are five different types of connection security rules that you can create:

* Isolation--allows you to restrict communication to only those hosts that can authenticate using specific credentials. For example, you can allow communications only to computers that are joined to an Active Directory domain.

Incorrect:
* Authentication exemption--allows you to configure exemptions to the isolation rules, such as an exemption that would allow connections to a DNS server without the requirement to authenticate.

* Tunnel--allows you to create rules that work in the same way as server-to-server rules but are implemented through tunnels (site-to-site connections).

Box 2: Require authentication for inbound and outbound connections Requirements:

Box 3: Computer (Kerberos V5)
Authentication method:

You have four choices here:

* You can choose Default and use the authentication methods that are defined in the IPsec settings.

* You can choose Computer and User to use Kerberos v5 and restrict communications to connections from domain-joined users and computers only.

*-> You can choose Computer to use Kerberos v5 and restrict communications to connections from domain- joined computers only.

* You can choose the Advanced option and specify custom settings for first and second authentication methods.


Reference:

https://www.sciencedirect.com/topics/computer-science/connection-security-rule



DRAG DROP (Drag and Drop is not supported)

You have a Windows Server failover cluster named Cluster1 that contains the Cluster Shared Volumes (CSV) shown in the following table.



All the nodes in Cluster1 have BitLocker Drive Encryption (BitLocker) installed.

You need to use PowerShell to enable BitLocker on Volume1.

In which order should you run the commands? To answer, drag the appropriate commands to the correct order. You may need to drag the split bar between panes or scroll to view content.

Note: Each correct selection is worth one point.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Step 1: Get-ClusterSharedVolume -Name "Volume1" | Suspend-ClusterResource

Use BitLocker with Cluster Shared Volumes (CSV)
Encrypt using a recovery key
Encrypting the drives using a recovery key will allow a BitLocker recovery key to be created and added into the Cluster database. As the drive is coming online, it only needs to consult the local cluster hive for the recovery key.

(Move the disk resource to the node where BitLocker encryption will be enabled:

Get-ClusterSharedVolume -Name "Cluster Disk 1" | Move-ClusterSharedVolume Resource -Node Node1)

Put the disk resource into Maintenance Mode:

Get-ClusterSharedVolume -Name "Cluster Disk 1" | Suspend-ClusterResource [Step 1]

A dialog box will pop up that says:

Suspend-ClusterResource

Are you sure that you want to turn on maintenance for Cluster Shared Volume `Cluster Disk 1'? Turning on maintenance will stop all clustered roles that use this volume and will interrupt client access.

Step 2: Enable-BitLocker -MountPoint "C:\\ClusterStorage\\Volume1" -RecoveryPasswordProtector

To enable BitLocker encryption, run:
Enable-BitLocker -MountPoint "C:\\ClusterStorage\\Volume1" -RecoveryPasswordProtector

Once entering the command, a warning appears and provides a numeric recovery password. Save the password in a secure location as it is also needed in an upcoming step. The warning looks similar to this:

Step 3 $KeyProtectorID = (Get-BitlockerVolume - MountPoint .. To get the BitLocker protector information for the volume, the following command can be run:

(Get-BitlockerVolume -MountPoint "C:\\ClusterStorage\\Volume1").KeyProtector

Step 4: Get-ClusterSharedVolume "Volume1" | Set-ClusterParameter -Name BitLockerProtectorInfo -Value ...

-Create

The key protector ID and recovery password will be needed and saved into a new physical disk private property called BitLockerProtectorInfo. This new property will be used when the resource comes out of Maintenance Mode. The format of the protector will be a string where the protector ID and the password are separated by a
":".

Get-ClusterSharedVolume "Cluster Disk 1" | Set-ClusterParameter -Name BitLockerProtectorInfo -Value "{26935AC3-8B17-482D-BA3F-D373C7954D29}:271733-258533-688985-480293-713394-034012-061963- 682044" -Create

Step 5: Get-ClusterSharedVolume -Name "Volume1" Resume-ClusterResource Now that the information is present, the disk can be brought out of maintenance mode once the encryption process is completed.

Get-ClusterSharedVolume -Name "Cluster Disk 1" | Resume-ClusterResource

If the resource fails to come online, it could be a storage issue, an incorrect recovery password, or some issue. Verify the BitlockerProtectorInfo key has the proper information. If it doesn't, the commands previously given should be run again. If the problem isn't with this key, we recommended getting with the proper group within your organization or the storage vendor to resolve the issue.


Reference:

https://learn.microsoft.com/en-us/windows-server/failover-clustering/bitlocker-on-csv-in-ws-2022



You have an on-premises server named Server1 that runs Windows Server 2022 Standard.

You have an Azure subscription that contains the virtual machines shown in the following table.



The subscription contains a Microsoft Sentinel instance named Sentinel1 in the Central US Azure region.

You need to implement the Windows Firewall connector.

Which servers can send Windows Firewall logs to Sentinel1?

  1. VM1 only
  2. VM2 only
  3. VM1 and Server1 only
  4. VM1, VM2, and VM3 only
  5. VM1, VM2, and Server1 only
  6. VM1, VM2, VM3, and Server1

Answer(s): E

Explanation:

VM1 and VM2 are located in Azure regions (West US and Central US), and since Microsoft Sentinel (Sentinel1) is in the Central US region, both of these virtual machines can send their Windows Firewall logs to Sentinel1. This includes VM1 with Windows Server 2022 Datacenter: Azure Edition and VM2 with Windows
Server 2019 Datacenter.
Server1, which runs Windows Server 2022 Standard on-premises, can also send logs to Sentinel1 since it can be connected to Microsoft Sentinel through agents that enable on-premises servers to integrate with Azure Sentinel.
VM3, although located in the Central US region, runs Windows Server 2016 Datacenter, which may not support some of the required integration features out of the box without additional configuration or updates.
Therefore, it is less likely to send logs to Sentinel1 unless further steps are taken.



HOTSPOT (Drag and Drop is not supported)

Your network contains an on-premises Active Directory Domain Services (AD DS) domain.

The domain contains the servers shown in the following table.



Server1 has the connection security rule as shown in the Server exhibit. (Click the Server1 tab.)



Server2 has the connection security rule as shown in the Server2 exhibit. (Click the Server2 tab.)



Server1 has the inbound firewall rules as shown in the Server1 inbound rules exhibit. (Click the Server1 inbound rules tab.)



For each of the following statements, select Yes if the statement is true. Otherwise, select No.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Server2 can ping Server1 successfully: Yes.
The inbound firewall rules on Server1 allow ICMP traffic for both ICMPv4 and ICMPv6 (the protocols used for ping). This means that Server2 should be able to ping Server1 successfully.

Server2 can connect to a file share on Server1: Yes.
The inbound rules on Server1 allow SMB (Server Message Block) traffic, which is used for file sharing, so Server2 can connect to file shares on Server1.

Server3 can connect to a file share on Server1: Yes.
The same inbound rules on Server1 that allow file sharing via SMB apply to Server3 as well, meaning Server3 should be able to connect to file shares on Server1.



Viewing page 6 of 36



Post your Comments and Discuss Microsoft AZ-801 exam prep with other Community members:

AZ-801 Exam Discussions & Posts