Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Free Microsoft SC-100 Exam Questions (page: 6)

Page 6 of 41
PDF with 315 Questions

You are designing a ransomware response plan that follows Microsoft Security Best Practices.

You need to recommend a solution to minimize the risk of a ransomware attack encrypting local user files.

What should you include in the recommendation?

  1. Windows Defender Device Guard
  2. Microsoft Defender for Endpoint
  3. Azure Files
  4. BitLocker Drive Encryption (BitLocker)
  5. protected folders

Answer(s): E



You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain.

You are designing an Azure DevOps solution to deploy applications to an Azure subscription by using continuous integration and continuous deployment (CI/CD) pipelines.

You need to recommend which types of identities to use for the deployment credentials of the service connection. The solution must follow DevSecOps best practices from the Microsoft Cloud Adoption Framework for Azure.

What should you recommend?

  1. a managed identity in Azure
  2. a Microsoft Entra user account that has role assignments in Microsoft Entra Privileged Identity Management (PIM)
  3. a group managed service account (gMSA)
  4. a Microsoft Entra user account that has a password stored in Azure Key Vault

Answer(s): A



You have an Azure Kubernetes Service (AKS) cluster that hosts Linux nodes.

You need to recommend a solution to ensure that deployed worker nodes have the latest kernel updates. The solution must minimize administrative effort.

What should you recommend?

  1. The nodes must restart after the updates are applied.
  2. The updates must first be applied to the image used to provision the nodes.
  3. The AKS cluster version must be upgraded.

Answer(s): B

Explanation:

Patch and upgrade AKS worker nodes
This section of the Azure Kubernetes Service (AKS) day-2 operations guide describes patching and upgrading practices for AKS worker nodes and Kubernetes (K8S) versions.
Node image upgrades
Microsoft provides patches and new images for image nodes weekly. For AKS Linux nodes, we have two mechanisms to patch the nodes: unattended updates and node image upgrade. Unattended updates are automatic, but they don't account for kernel level patches. You're required to use something like KURED or node image upgrade to reboot the node and complete the cycle. For node image upgrade, we create a patched node every week for customers to use, which would require applying that patched virtual hard disk (VHD).
Auto-upgrade with the node image update SKU can automate the process.


Reference:

https://learn.microsoft.com/en-us/azure/architecture/operator-guides/aks/aks-upgrade-practices



You have the following on-premises servers that run Windows Server:

Two domain controllers in an Active Directory Domain Services (AD DS) domain

Two application servers named Server1 and Server2 that run ASP.NET web apps

A VPN server named Server3 that authenticates by using RADIUS and AD DS

End users use a VPN to access the web apps over the internet.

You need to redesign a user access solution to increase the security of the connections to the web apps. The solution must minimize the attack surface and follow the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).

What should you include in the recommendation?

  1. Publish the web apps by using Microsoft Entra Application Proxy.
  2. Configure the VPN to use Microsoft Entra authentication.
  3. Configure connectors and rules in Microsoft Defender for Cloud Apps.
  4. Configure web protection in Microsoft Defender for Endpoint.

Answer(s): A

Explanation:

Microsoft Defender Secure On premises web app VPN
Modernize secure access for your on-premises resources with Zero Trust
When it comes to classic or on-premises applications, Microsoft Entra Application Proxy enables your security team to easily apply the same policies and security controls used for cloud apps to your on-premises apps.
Note: Using Microsoft Entra Application Proxy to publish on-premises apps for remote users Microsoft Entra ID offers many capabilities for protecting users, apps, and data in the cloud and on-premises.
In particular, the Microsoft Entra Application Proxy feature can be implemented by IT professionals who want to publish on-premises web applications externally. Remote users who need access to internal apps can then access them in a secure manner.
While not comprehensive, the list below illustrates some of the things you can enable by implementing Application Proxy in a hybrid coexistence scenario:
Publish on-premises web apps externally in a simplified way without a DMZ Support single sign-on (SSO) across devices, resources, and apps in the cloud and on-premises Support multi-factor authentication for apps in the cloud and on-premises Quickly leverage cloud features with the security of the Microsoft Cloud Centralize user account management
Centralize control of identity and security
Automatically add or remove user access to applications based on group membership This article explains how Microsoft Entra ID and Application Proxy give remote users a single sign-on (SSO) experience. Users securely connect to on-premises apps without a VPN or dual-homed servers and firewall rules.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/what-is-application-proxy https://www.microsoft.com/en-us/security/blog/2020/11/19/modernize-secure-access-for-your-on-premises- resources-with-zero-trust/



HOTSPOT (Drag and Drop is not supported)

You have a Microsoft 365 E5 subscription that uses Microsoft Purview, SharePoint Online, and OneDrive for Business.

You need to recommend a ransomware protection solution that meets the following requirements:

Mitigates attacks that make copies of files, encrypt the copies, and then delete the original files

Mitigates attacks that encrypt files in place

Minimizes administrative effort

What should you include in the recommendation? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Data loss prevention (DLP) policies
Mitigates attacks that make copies of files, encrypt the copies, and then delete the original files Minimizes administrative effort

Protective actions of DLP policies

DLP policies are how you monitor the activities that users take on sensitive items at rest, sensitive items in transit, or sensitive items in use and take protective actions. For example, when a user attempts to take a prohibited action, like copying a sensitive item to an unapproved location or sharing medical information in an email or other conditions laid out in a policy, DLP can:

show a pop-up policy tip to the user that warns them that they may be trying to share a sensitive item inappropriately block the sharing and, via a policy tip, allow the user to override the block and capture the users' justification block the sharing without the override option for data at rest, sensitive items can be locked and moved to a secure quarantine location for Teams chat, the sensitive information won't be displayed

Box 2: Versioning
Mitigates attacks that encrypt files in place
Minimizes administrative effort

Ransomware

There are many forms of ransomware attacks, but one of the most common forms is where a malicious individual encrypts a user's important files and then demands something from the user, such as money or information, in exchange for the key to decrypt them. Ransomware attacks are on the rise, particularly those that encrypt files that are stored in the user's cloud storage

Versioning helps to protect SharePoint Online lists and SharePoint Online and OneDrive for Business libraries from some, but not all, of these types of ransomware attacks. Versioning is enabled by default in OneDrive for Business and SharePoint Online. Since versioning is enabled in SharePoint Online site lists, you can look at earlier versions and recover them, if necessary. That enables you to recover versions of items that pre-date their encryption by the ransomware. Some organizations also retain multiple versions of items in their lists for legal reasons or audit purposes.


Reference:

https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp https://learn.microsoft.com/en-us/compliance/assurance/assurance-malware-and-ransomware-protection



You are designing a security operations strategy based on the Zero Trust framework.

You need to minimize the operational load on Tier 1 Microsoft Security Operations Center (SOC) analysts.

What should you do?

  1. Enable built-in compliance policies in Azure Policy.
  2. Enable self-healing in Microsoft Defender XDR.
  3. Automate data classification.
  4. Create hunting queries in Microsoft Defender XDR.

Answer(s): B



DRAG DROP (Drag and Drop is not supported)

You are designing a security operations strategy based on the Zero Trust framework.

You need to increase the operational efficiency of the Microsoft Security Operations Center (SOC).

Based on the Zero Trust framework, which three deployment objectives should you prioritize in sequence? To answer move the appropriate objectives from the list of objectives to the answer area and arrange them in the correct order.

Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Step 1: Establish visibility
Visibility, automation, and orchestration Zero Trust deployment objectives When implementing an end-to-end Zero Trust framework for visibility, automation, and orchestration, we recommend you focus first on these initial deployment objectives:

A. Establish visibility.
The first step is to establish visibility by enabling Microsoft Threat Protection (MTP).
Step 2: Enable automation
II. Enable automation.
After these are completed, focus on these additional deployment objectives:

Step 3: Enable additional protection and detection controls
III. Enable additional protection and detection controls.

Incorrect:
* Establish ransomware recovery readiness
* Implement disaster recovery


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/deploy/visibility-automation-orchestration



HOTSPOT (Drag and Drop is not supported)

You have an Azure subscription that contains multiple apps. The apps are managed by using continuous integration and continuous deployment (CI/CD) pipelines in Azure DevOps.

You need to recommend DevSecOps controls for the Commit the code and the Build and test CI/CD process stages based on the Microsoft Cloud Adoption Framework for Azure.

Which testing method should you recommend for each stage? To answer, select the appropriate options in the answer area.

Note: Each correct selection is worth one point.

Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Static application security testing (SAST)
Commit the code



Box 2: Dynamic application security testing (DAST)
Build and test


Reference:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/secure/devsecops-controls



Viewing page 6 of 41



Post your Comments and Discuss Microsoft SC-100 exam prep with other Community members:

SC-100 Exam Discussions & Posts