CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Free SC-100 Exam Braindumps (page: 3)

Page 2 of 56
PDF with 249 Questions

HOTSPOT (Drag and Drop is not supported)
You need to recommend a solution to meet the AWS requirements.
What should you include in the recommendation? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Box 1: Microsoft Defender for servers
Scenario: Notify security administrators at Fabrikam if any AWS EC2 instances are noncompliant with secure score recommendations.
Defender for Servers is one of the enhanced security features available in Microsoft Defender for Cloud. You can use it to add threat detection and advanced defenses to your Windows and Linux machines that exist in hybrid and multicloud environments.
Available Defender for Server plans
Defender for Servers offers you a choice between two paid plans.
Both include automatic onboarding for resources in Azure, AWS, GCP.

Plan 1 includes the following benefits:
Automatic onboarding for resources in Azure, AWS, GCP
Microsoft threat and vulnerability management
Flexibility to use Microsoft Defender for Cloud or Microsoft 365 Defender portal
A Microsoft Defender for Endpoint subscription that includes access to alerts, software inventory, Vulnerability Assessment and an automatic integration with
Microsoft Defender for Cloud.
Plan 2 includes everything in Plan 1 plus some additional benefits.
Box 2: Microsoft Sentinel
Scenario: AWS Requirements
Fabrikam identifies the following security requirements for the data hosted in ContosoAWS1:
Ensure that the security administrators can query AWS service logs directly from the Azure environment.
Use the Amazon Web Services (AWS) connectors to pull AWS service logs into Microsoft Sentinel.
Note: These connectors work by granting Microsoft Sentinel access to your AWS resource logs. Setting up the connector establishes a trust relationship between
Amazon Web Services and Microsoft Sentinel. This is accomplished on AWS by creating a role that gives permission to Microsoft Sentinel to access your AWS logs.


Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/recommendations-reference-aws https://docs.microsoft.com/en-us/azure/sentinel/connect-aws



HOTSPOT (Drag and Drop is not supported)
You need to recommend a solution to evaluate regulatory compliance across the entire managed environment. The solution must meet the regulatory compliance requirements and the business requirements.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Box 1: Azure Policy initiatives to management groups
If your organization has many Azure subscriptions, you may need a way to efficiently manage access, policies, and compliance for those subscriptions.
Management groups provide a governance scope above subscriptions. You organize subscriptions into management groups the governance conditions you apply cascade by inheritance to all associated subscriptions.
If you plan to apply a policy definition to multiple subscriptions, the location must be a management group that contains the subscriptions you assign the policy to.
The same is true for an initiative definition.
With an initiative definition, you can group several policy definitions to achieve one overarching goal. An initiative evaluates resources within scope of the assignment for compliance to the included policies.
Incorrect:
Not: Azure Policy initiatives to subscriptions
Must use a management group as we have multiple subscriptions.
Scenario:
Requirements. Business Requirements
Litware identifies the following business requirements:
ג€¢ Minimize any additional on-premises infrastructure.
ג€¢ Minimize the operational costs associated with administrative overhead.
Box 2: Azure Arc
With Azure Arc:
Meet governance and compliance standards for apps, infrastructure, and data with Azure Policy.
Take advantage of elastic scale, consistent on-premises and multicloud management, and cloud-style billing models.
Note: Azure Arc is a bridge that extends the Azure platform to help you build applications and services with the flexibility to run across datacenters, at the edge, and in multicloud environments. Develop cloud-native applications with a consistent development, operations, and security model. Azure Arc runs on both new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems.


Reference:

https://docs.microsoft.com/en-us/azure/governance/management-groups/overview https://azure.microsoft.com/en-us/services/azure-arc/#product-overview



You need to recommend a strategy for routing internet-bound traffic from the landing zones. The solution must meet the landing zone requirements.
What should you recommend as part of the landing zone deployment?

  1. local network gateways
  2. forced tunneling
  3. service chaining

Answer(s): C

Explanation:

Service chaining.
Service chaining enables you to direct traffic from one virtual network to a virtual appliance or gateway in a peered network through user-defined routes.
You can deploy hub-and-spoke networks, where the hub virtual network hosts infrastructure components such as a network virtual appliance or VPN gateway. All the spoke virtual networks can then peer with the hub virtual network. Traffic flows through network virtual appliances or VPN gateways in the hub virtual network.
Virtual network peering enables the next hop in a user-defined route to be the IP address of a virtual machine in the peered virtual network, or a VPN gateway.
You can't route between virtual networks with a user-defined route that specifies an Azure ExpressRoute gateway as the next hop type.
Incorrect:
Not B: Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies. If you don't configure forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from the Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic. Unauthorized
Internet access can potentially lead to information disclosure or other types of security breaches.
ExpressRoute forced tunneling is not configured via this mechanism, but instead, is enabled by advertising a default route via the ExpressRoute BGP peering sessions.
Note:
Requirements. Planned Changes
Litware plans to implement the following changes:
Design a landing zone strategy to refactor the existing Azure environment of Litware and deploy all future Azure workloads.
Requirements. Azure Landing Zone Requirements
Litware identifies the following landing zone requirements:
ג€¢ Route all internet-bound traffic from landing zones through Azure Firewall in a dedicated Azure subscription.
ג€¢ Provide a secure score scoped to the landing zone.
ג€¢ Ensure that the Azure virtual machines in each landing zone communicate with Azure App Service web apps in the same zone over the Microsoft backbone network, rather than over public endpoints.
ג€¢ Minimize the possibility of data exfiltration.
ג€¢ Maximize network bandwidth.
The landing zone architecture will include the dedicated subscription, which will serve as the hub for internet and hybrid connectivity. Each landing zone will have the following characteristics:
ג€¢ Be created in a dedicated subscription.
ג€¢ Use a DNS namespace of litware.com.


Reference:

https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#service-chaining https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm



HOTSPOT (Drag and Drop is not supported)
You are evaluating the security of ClaimsApp.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Box 1: No
Box 2: Yes
Users will connect to ClaimsApp by using a URL of https://claims.fabrikam.com.
Need certificate for HTTPS.
TLS/SSL certificates
To enable the HTTPS protocol for securely delivering content on a Front Door custom domain, you must use a TLS/SSL certificate. You can choose to use a certificate that is managed by Azure Front Door or use your own certificate.
Box 3: Yes
By default, Azure Front Door will respond to all user requests regardless of the location where the request is coming from. In some scenarios, you may want to restrict the access to your web application by countries/regions. The Web application firewall (WAF) service in Front Door enables you to define a policy using custom access rules for a specific path on your endpoint to either allow or block access from specified countries/regions.
Note: Requirements. Security Requirements
Fabrikam identifies the following security requirements:
ג€¢ Internet-accessible applications must prevent connections that originate in North Korea.


Reference:

https://techcommunity.microsoft.com/t5/azure-architecture-blog/permit-access-only-from-azure-front-door-to-azure-app-service-as/ba-p/2000173 https://docs.microsoft.com/en-us/azure/frontdoor/front-door-custom-domain-https#tlsssl-certificates






Post your Comments and Discuss Microsoft SC-100 exam with other Community members:

SC-100 Discussions & Posts