(AZ-900 topic) Describe general security and network security features Flashcards

AZ-900 Topic assess your ability to: Show an understanding of what the Azure security features are, as well as Azure network security features Questions for this domain comprise 13% of the total questions for the AZ-900.

1
Q

Regarding this diagram, which service might you place at 1 to protect the connection credentials from the web service to the SQL database, but also allow access to third party applications?

  • Azure Sentinel
  • Azure Information Protection
  • A Network Security Group
  • Azure Key Vault
A

-Azure Key Vault

Azure Key Vault will store your connection credentials securely, and allow third-party applications to use it through a token. The token access can be revoked without changing the credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You are in charge of an Azure database that has valuable and sensitive data stored in it. You need a third party client to access this data. How would you provide access in the most secure way?

  • Use Azure Key Vault to create a single use password for the database. The client can use this to get an authentication token for further use.
  • Use Azure Key Vault to protect and share the password without revealing it.
  • Store the data in the secure tier data storage and provide access via a secure token only.
  • Use Azure Information Protection to secure and track any piece of data accessed.
A

Use Azure Key Vault to protect and share the password without revealing it.

Azure Key Vault is used to protect secrets and passwords. You can share these secrets and passwords with third parties without revealing them. This allows access to your resources securely to third parties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following components can be used to load balance traffic to web applications, such as Azure App Service web apps using layer 7 of the OSI model?

  • Virtual Network
  • Load Balancer
  • Application Gateway
  • Route table-Virtual Network Gateway
A

-Application Gateway

Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. They are aware of the much more abstract high-level layer 7 in the OSI model, meaning the load balancer understands HTTP headers and can do things such as routing requests to different places based on the URL of a web request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Your company wants to make use of Azure for deployment of various solutions. They want to ensure suspicious attacks and threats using compromised credentials to resources in their Azure account are prevented. Which of the following helps prevent such attacks by using in-built sensors in Azure?

  • Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)
  • Azure DDoS Protection
  • Azure Privileged Identity Management
  • Azure AD Identity Protection
A

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection)

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft routinely changes the names of their services, including this one. This is something to be aware both on the exam, where you may encounter the new or old names, and also in the real-world.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which Azure service should you use to store certificates?

  • Azure Information Protection
  • Azure storage account
  • Azure Security Center
  • Azure Key Vault
A

Azure Key Vault

Azure Key Vault can be used to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Your company has a new Azure virtual network that needs to be secured. What is the best way to only allow specific kinds of outside traffic into this network?

  • Using the Azure DDoS Protection Service when configured for inbound traffic.
  • Use an Azure Network Security Group attached to the virtual network.
  • Use a load balancer in front of the network to use rules to limit the traffic.
  • Use an Azure Firewall attached to the virtual network.

(choose 1)

A

-Use an Azure Firewall attached to the virtual network.

Azure Firewall blocks any incoming or outgoing traffic that isn’t specifically allowed on a network. A Network Security Group manages the traffic to specific services, Azure DDoS Protection Service protects against attacks and a load balancer distributes traffic to specific VMs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You need to protect emails, documents and important data that will be shared outside your company. What Azure service should you use?

  • Azure Artifacts.
  • Azure Data Box.
  • Azure Information Protection.
  • Azure Pipelines.

(choose 1)

A

-Azure Information Protection.

Azure Information Protection allows you to protect emails, documents and other data and define who can access the information and what they can do with it. Azure Artifacts is a developer tool for managing source code packages. Azure Pipelines is a developer tool for continuous deployment. Azure Data Box is a physical box for transferring data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The Angry Llamas corporation has asked you to implement a solution that will monitor users in their on-premises environment and their behavior, to make sure any suspicious behavior is caught. What is a solution to do this?

  • Use the alert feature in Azure Active Directory to monitor user behavior and raise alerts for anything out of the ordinary.
  • Use Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
  • Use Azure Information Protection to monitor, analyse and profile user behavior, and raise alerts if unusual behavior is detected.
  • Use an Azure Firewall to monitor the traffic entering the network and the Azure services attached to it.
A

-Use Microsoft Defender for Identity (formerly Azure Advanced Threat Protection) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

You are looking to restrict internet traffic to a Windows virtual machine - what Azure functionality would you choose to accomplish this?

  • Public IP Address
  • Resource Group
  • Redis
  • Network Security Groups
A

-Network Security Groups

Appropriately configured Network Security groups allow you to control all inbound and outbound traffic for your virtual machines.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You want to protect your Azure services from attacks that send large amounts of usually allowed traffic from the outside world and that might overwhelm your services. Which is the best way you can do this?

  • Use an Azure Firewall attached to the virtual network that faces the Internet.
  • Use the Azure DDoS Protection Service to protect against denial of service attacks.
  • Use a load balancer in front of the services to mitigate the attacks and distribute the traffic to multiple machines.
  • Use Advanced Threat Protection to secure the network.
A

-Use the Azure DDoS Protection Service to protect against denial of service attacks.

Azure DDoS Protection protects against denial of service attacks, which involve large amounts of data directed at your service so is the perfect service to protect our services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is one simple way to ensure you meet certain governance rules and regulations when setting up a new Azure environment?

  • Use a support plan of Professional Direct or Premier level to get Architecture help for a new Azure environment.
  • Use the Azure Template Wizard when creating a new service.
  • Use Azure Blueprints.
  • Use Azure Compliance Monitor to compare your infrastructure against.
A

Use Azure Blueprints.

Azure Blueprints are templates for creating compliant Azure infrastructure projects. You can use them to comply with standards and regulations that apply to your company. You can get architecture help using a support plan too, but it is much more laborious.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What should you use to evaluate whether your company’s Azure environment meets regulatory requirements? (choose 2)

  • Knowledge Center
  • Compliance Manager
  • Azure Advisor
  • Azure Security Center
A

Compliance Manager

Azure Security Center

Azure Security Center and Compliance Manager are the correct answers. Azure Security Center has a regulatory compliance dashboard, and Compliance Manager enables you to track, assign, and verify your organization’s regulatory compliance activities related to Microsoft Professional Services and Microsoft cloud services, such as Microsoft Office 365, Microsoft Dynamics 365, and Microsoft Azure. These answers are incorrect: Azure Knowledge Center is a site to get answers to common support questions - it is not used to determine regulatory compliance; Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments, it recommends solutions that can help you improve the cost-effectiveness, performance, high availability, and security of your Azure resources - it does not determine regulatory compliance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following statements best describes a Network Security Group?

  • Network Security Groups are established connections between your network and Azure.
  • Network Security Groups contain inbound and outbound security rules enabling traffic to be filtered.
  • Network Security Groups are groups of devices within a subnet that perform security functions.
  • Network Security Groups are another name for peered virtual networks, allowing secure communication between resources.
A

Network Security Groups contain inbound and outbound security rules enabling traffic to be filtered.

Network Security Groups are used to filter traffic to and from resources in an Azure virtual network. They contain lists of security rules which allow or deny inbound and outbound traffic. The security rules contain properties such as priority, source or destination, protocol, direction, port range and action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are working with the enterprise security team. The CEO asked you to advise the most powerful tool that can detect possible volatilities in your company. You need to cover Windows Server 2012 R2 and Linux servers.

Which of the following is the best tool to recommend?

  • Microsoft Defender Advanced Threat Protection
  • Azure Advanced Threat Protection (ATP)
  • Azure Security Center
  • Azure Sentinel
A

Azure Sentinel

Azure Sentinel is the most powerful tool to detect abnormal behaviors in not only the cloud environment but on-premises as well. It is based on Workspaces where logs are stored. Azure Sentinel allows you to collect data from all users, devices, applications on-premises, or in mutliple clouds. When paired with Microsoft analytics. It can find undetected threats while minimizing false positives.

At the time of this writing, Microsoft Defender Advanced Threat Protection (ATP) and Azure Advanced Threat Protection do support Linux operating systems. ATP collects usage data and can safeguard your enterprise against threats, but it is not as powerful as Azure Sentinel in finding undetected threats and volatilities.

Azure Security Center is lesss powerful service that Azure Sentinel but does allow you to spot abnormalities.

Azure Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) solution while Security Center is not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

You company needs to host multiple virtual machines that run an application your customers use in the East US region of Azure. You need to ensure that no other VMs are placed on the physical machines in the data center. All VMs need to have high availability using availability zones/

What should you use?

  • Desired State Configuration
  • Azure Board
  • Azure Pipelines
  • Azure DevTest Labs
  • Dedicated Host
  • Azure Advisor
A

Dedicated Host

Azure Dedicated Host is a service that provisions physical hardware in data center dedicated to one or moreof your company’s and no one else’s virtual machines. Dedicated hosts are physical servers in a data center that can provide hardware isolation at the physical server level. These dedicated hosts share the same network and storage as non-isolated hosts. Dedicated hosts can opt in or opt out of a maintenance window to reduce the impact of the workload running on the dedicated host. you can deploy multiple dedicated hosts for high availability using availability zones or fault domains for fault isolation.

You would not choose the Desired State Configuration (DSC) because it helps define a state for your machines. DSC does not ensure that VMs will be physically isolated on specific hardware.

You would not choose Azure Advisor. Azure Advisor examines resource configuration and usage and provides recommended solutions. Recommendations for cost, security, reliability (formerly High Availability), operational excellence, and performance are combined into a single dashboard. Azure Advisor makes recommendations but may not recommend having VMs be physically isolated on specific hardware.

Azure DevTest Labs allow you to create VMs and PaaS resources without approvals. Azure DevTest Labs enables your team to create multiple VMs or an empty resource group as a sandbox to isolate VMs. You can use resuable templates and artifacts to provide your environment using Microsoft VMs or Linux VMs quickly. VMs can be created from custom images that have all software applications and any tools installed. Azure DevTest Labs does not ensure VMs will be physically isolated on specific hardware.

You would not choose to use Azure Pipelines beacuse it integrates your code respository with builds and releases in Azure DevOps.

You would not choose Azure Boards. Azure Board uses agile methodology to track and plan projects using tools such as scrum boards, Kanban boards, and dashboards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

The Nutex Corporation plans to comply with all the privacy, compliance, and data protection standards. You are asked to investigate the security, compliance, and privacy offerings and commitments from Microsoft.

Which of the following statements about the Azure Service Trust Portal are TRUE? (Select all that apply.)

  • If an Azure tenant is deactivated, Microsoft permanently deletes all data for that tenant in the Service Trust Portal within 24 hours of tenant deactivation.
  • If a customer’s cloud subscription expires, Microsoft will delete the data in the subscription in 90 days without any notice
  • The Azure Service Trust Portal provides Security and Compliance Blueprints to assist customers with building applications that comply with compliance regulations and standards.
  • All transactions to Azure Storage through the Azure portal occur via HTTPS.
  • Microsoft’s privacy principle states that Microsoft will not use your email, chat, files, or other personal content to target ads to you.
A
  • If an Azure tenant is deactivated, Microsoft permanently deletes all data for that tenant in the Service Trust Portal within 24 hours of tenant deactivation.
  • The Azure Service Trust Portal provides Security and Compliance Blueprints to assist customers with building applications that comply with compliance regulations and standards.
  • Microsoft’s privacy principle states that Microsoft will not use your email, chat, files, or other personal content to target ads to you.

Microsoft’s privacy principle states that Microsoft will not use your email, chat, files, or other personal content to target ads to you. Microsoft’s privacy principle also states that:

  1. You are in control of your privacy with easy-to-use tools and clear choices.
  2. Microsoft will be transparent about data collection and use so that you can make informed decisions.
  3. Microsoft protects your data with strong security and encryption.
  4. Microsoft will respect your local privacy laws and fight for legal protection of your privacy as a right.
  5. When Microsoft collects data, Microsoft will use it to benefit you and to make your experiences better.
  6. If an Azure tenant is deactivated, Microsoft permanently deletes all data for that tenant in the Service Trust Portal (e.g. user information and data uploaded to Compliance Manager) within 24 hours of tenant deactivation.
  7. The Azure Service Trust Portal provides Security and Compliance Blueprints to assist customers with building applications that comply with compliance regulations and standards.

Azure Security and Compliance Blueprints include: industry-specific overviews and guidance, customer responsibilities matrix, reference architectures with threat models, control implementation matrices, and automation to deploy reference architectures.

If a customer’s cloud subscription expires, Microsoft will not delete the data in the subscription in 90 days without notice. If you terminate a cloud subscription or it expires (except for free trials), Microsoft will store your customer data in a limited-function account for 90 days (the “retention period”) to give you time to extract the data or renew your subscription. During this period, Microsoft provides multiple notices so you will be amply forewarned of the upcoming deletion of data.

17
Q

The Nutex Corporation has had sever DDoS attacks that have exhausted application resources causing problems. Nutex plans to implement Azure DDoS Protection.

Which of the following statements about Azure DDoS Protection are TRUE? (Select all that apply.)

  • The threshold value of 1 for a DDoS Protection alert means that the IP address is not under attack.
  • The Azure DDoS Protection Telemetry feature is active only for the duration for which the IP address is under mitigation.
  • The Azure DDoS Protection Basic service tier provides post-attack mitigation reports.
  • The Network Contributor role’s privileges must be applied to the user account that can create and manage Azure DDoS Protection plans.
  • Azure DDoS Protection protects both private and public IP addresses.
A
  • The Azure DDoS Protection Telemetry feature is active only for the duration for which the IP address is under mitigation.
  • The Network Contributor role’s privileges must be applied to the user account that can create and manage Azure DDoS Protection plans.

To work with DDoS protection plans, the account must be assigned to the Network Contributor role or a custom role that has privileges to create, delete, read, or join a DDoS Protection plan.

Telemetry for an attack is provided through Azure Monitor in real time. The telemetry is available only for the duration that a public IP address is under mitigation. Telemetry is not available before or after an attack is mitigated.

Azure DDoS protection in conjunction with application design best practices provides defense against DDoS attacks.

The Azure DDoS Protection Basic service tier provides always-on traffic monitoring, and real-time mitigation of common network-level attacks. This tier does NOT include features such as post-attack mitigation reports that are available with the Azure DDoS Protection Standard tier.

Azure DDoS Protection does not protect private IP addresses. Azure DDoS Protection protects ONLY public IPv4 and IPv6 addresses from DDoS attacks.

Threshold is one of the settings configured to produce alerts for DDoS Protection. When the value of Threshold is 1, the IP address IS under attack. When the value of the Threshold is 0, the IP address IS NOT under attack.

18
Q

Your company will be deploying new servers that will host an application that customers will use. A security analyst named Deborah needs to ensure the following objectives are met:

Websites are protected from attackers exhausting application resources

Reports are generated that detail any attempted attacks.

Deborah’s solution is to recommend using Azure DDos Protection Basic.

Does the solution meet the objectives?

Yes or no.

A

No.

You should use DDos Protection Standard instead of DDos Protection Basic. DDoS protection protects from DDoS attacks which exhaust application resources. Azure provides DDoS Protection Basic for free. DDoS Protection Standard provides more features such as alerting, telemetry, and logging. It can use the logging feature to generate reports that give detailed information about the attack.

19
Q

What is the easiest way to quickly determine your security posture on Azure?

  • Use the security coverage calculator in the Azure Portal to estimate the coverage of your security policies.
  • Set up an Azure Firewall and monitor how many malicious requests are stopped.
  • Create a new virtual machine and observe the initial security concerns as noted by the Azure Security Center.
  • Read the secure score in the Azure Security Center.
A

Read the secure score in the Azure Security Center.

Azure Security Center constantly reviews your active recommendations and calculates your secure score based on them.

20
Q

Which of the following can be used to restrict connectivity to Azure virtual machines or subnets?

  • Virtual network gateway
  • Network security group (NSG)
  • Service endpoint
  • Route table
A
  • Network security group (NSG)

You can filter network traffic to and from resources in a virtual network using network security groups. You can control how Azure routes traffic from subnets.