Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-100

Free Microsoft SC-100 Exam Braindumps (page: 9)

Page 9 of 70
PDF with 303 Questions

You have a Microsoft Entra tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Microsoft Entra.
You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.
You plan to remove all the domain accounts from the Administrators groups on the Windows computers.
You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.
What should you include in the recommendation?

  1. Local Administrator Password Solution (LAPS)
  2. Microsoft Entra Identity Protection
  3. Microsoft Entra Privileged Identity Management (PIM)
  4. Privileged Access Workstations (PAWs)

Answer(s): A

Explanation:

Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Microsoft Entra ID, protected by ACLs, so only eligible users can read it or request its reset.
Microsoft LAPS is short for Microsoft Local Administrator Password Solution. When installed and enabled on domain-joined computers it takes over the management of passwords of local accounts. Passwords are automatically changed to random characters that meet the domain’s password policy requirements at a frequency that you define through Group Policy.
The passwords are stored in a protected “confidential” attribute on the Computer object in AD. Unlike most other attributes which can be read by all domain users by default, the confidential attributes require extra privileges to be granted in order to read them, thus securing the managed passwords.
Incorrect:
Not B: Integrate on-premises Microsoft Entra domains with Microsoft Entra ID
Validate security configuration and policy, Actively monitor Microsoft Entra ID for signs of suspicious activity
Consider using Microsoft Entra ID P2 edition, which includes Microsoft Entra ID Protection. Identity Protection uses adaptive machine learning algorithms and heuristics to detect anomalies and risk events that may indicate that an identity has been compromised. For example, it can detect potentially unusual activity such as irregular sign-in activities, sign-ins from unknown sources or from IP addresses with suspicious activity, or sign-ins from devices that may be infected. Identity Protection uses this data to generate reports and alerts that enable you to investigate these risk events and take appropriate action.
Not C: Microsoft Entra PIM is a service in Microsoft Entra ID that enables you to manage, control, and monitor access to resources in Microsoft Entra ID, Azure, and other Microsoft Online Services such as Microsoft 365 or Microsoft Intune.
Not D: Privileged Access Workstations (PAWs) provide a dedicated operating system for sensitive tasks that is protected from Internet attacks and threat vectors. Separating these sensitive tasks and accounts from the daily use workstations and devices provides very strong protection from phishing attacks, application and OS vulnerabilities, various impersonation attacks, and credential theft attacks such as keystroke logging, Pass-the- Hash, and Pass-The-Ticket.


Reference:

https://craighays.com/microsoft-laps/
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/identity/azure-ad



DRAG DROP (Drag and Drop is not supported)
For a Microsoft cloud environment, you need to recommend a security architecture that follows the Zero Trust principles of the Microsoft Cybersecurity Reference Architectures (MCRA).
Which security methodologies should you include in the recommendation? To answer, drag the appropriate methodologies to the correct principles. Each methodology may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Segment access Assume breach
Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Box 2: Data classification Verify explicitly
Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Box 3: Just-in-time (JIT) access Use least-privilege access
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity.


Reference:

https://www.microsoft.com/en-us/security/business/zero-trust



You have legacy operational technology (OT) devices and IoT devices.
You need to recommend best practices for applying Zero Trust principles to the OT and IoT devices based on the Microsoft Cybersecurity Reference Architectures (MCRA). The solution must minimize the risk of disrupting
business operations.
Which two security methodologies should you include in the recommendation? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. active scanning
  2. threat monitoring
  3. software patching
  4. passive traffic monitoring

Answer(s): B,C

Explanation:

Microsoft Cybersecurity Reference Architectures
Apply zero trust principles to securing OT and industrial IoT environments
Operational Technology (OT) Environments Safety/Integrity/Availability
• Hardware Age: 50-100 years (mechanical + electronic overlay)
• Warranty length: up to 30-50 years
• Protocols: Industry Specific (often bridged to IP networks)
Security Hygiene: Isolation, threat monitoring, managing vendor access risk, (patching rarely)
Information Technology (IT) Environments Confidentiality/Integrity/Availability
• Hardware Age: 5-10 years
• Warranty length 3-5 years
• Protocols: Native IP, HTTP(S), Others
• Security Hygiene: Multi-factor authentication (MFA), patching, threat monitoring, antimalware


Reference:

https://learn.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra



You have an on-premises network and a Microsoft 365 subscription. You are designing a Zero Trust security strategy.
Which two security controls should you include as part of the Zero Trust solution? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.

  1. Always allow connections from the on-premises network.
  2. Disable passwordless sign-in for sensitive accounts.
  3. Block sign-in attempts from unknown locations.
  4. Block sign-in attempts from noncompliant devices.

Answer(s): C,D

Explanation:

Securing identity with Zero Trust
User, device, location, and behavior is analyzed in real time to determine risk and deliver ongoing protection.
As users appear on new devices and from new locations, being able to respond to an MFA challenge is one of the most direct ways that your users can teach us that these are familiar devices/locations as they move around the world (without having administrators parse individual signals).
Incorrect:
Not B: Use passwordless authentication to reduce the risk of phishing and password attacks
With Azure AD supporting FIDO 2.0 and passwordless phone sign-in, you can move the needle on the credentials that your users (especially sensitive/privileged users) are employing day-to-day. These credentials are strong authentication factors that can mitigate risk as well.
Cloud identity federates with on-premises identity systems


Reference:

https://learn.microsoft.com/en-us/security/zero-trust/deploy/identity#v-user-device-location-and-behavior-is- analyzed-in-real-time-to-determine-risk-and-deliver-ongoing-protection



Viewing page 9 of 70
Viewing questions 33 - 36 out of 303 questions



Post your Comments and Discuss Microsoft SC-100 exam prep with other Community members:

SC-100 Exam Discussions & Posts