You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain.
You have an on-premises datacenter that contains 100 servers. The servers run Windows Server and are backed up by using Microsoft Azure Backup Server (MABS).
You are designing a recovery solution for ransomware attacks. The solution follows Microsoft Security Best Practices.
You need to ensure that a compromised administrator account cannot be used to delete the backups.
What should you do?
To ensure that a compromised administrator account cannot be used to delete backups, the most effective solution is to configure multi-user authorization (MUA) using Resource Guard. MUA adds an additional layer of security where critical operations such as deleting backups require authorization from multiple administrators. This means if one administrator account is compromised, it alone cannot delete the backups without approval from another authorized user, thereby adhering to best security practices for ransomware protection.
Option A is incorrect because multi-user authorization by using Resource Guard is used to provide additional protection for Azure resources, but it does not address the issue of compromised administrator accounts in MABS.
I think this is correct. It is subtle but, being that both a and c do kind of satisfy the requirements, this difference is very important. Thank you MaciekMT.
it does: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats
MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization. ref: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq
C. From a Recovery Services vault, generate a security PIN for critical operations. Configuring a security PIN for critical operations adds an extra layer of security for performing actions like deleting backups. Even if an administrator account is compromised, an attacker would also need access to the security PIN to perform critical operations, such as deleting backups. This aligns with the goal of preventing backups from being deleted, even if an administrator account is compromised. Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations: Options A and D are not directly related to securing backup operations:
its clear in the document, https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats
I'm going with A, the question is about deleting not recovering.
I will go for A. MUA by Resource Guard recommend by microsoft. See link: https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats
Leaning toward Option A for the following reasons - Option A (MUA) and Option C (PIN) are both effective ways to add resistance to deletion of backups from a Recovery Services Vault https://learn.microsoft.com/en-us/azure/security/fundamentals/backup-plan-to-protect-against-ransomware?toc=%2Fazure%2Fbackup%2Ftoc.json&bc=%2Fazure%2Fbackup%2Fbreadcrumb%2Ftoc.json#steps-to-take-before-an-attack https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats - The question's ask is "ensure that a compromised administrator account cannot be used to delete the backups" ... continued in reply
- Reading this question literally, it's possible a compromised account means that not only are the admin credentials compromised, but also the 2nd factor of authentication generating the PIN neutralising the protection offered by Option C (PIN) - Option A (MUA) separates security concerns into two separate admin accounts, the Security Admin and Backup Admin. A malicious actor would need to compromise BOTH accounts simultaneously to delete a backup if MUA was implemented correctly.
https://techcommunity.microsoft.com/t5/azure-governance-and-management/security-and-ransomware-protection-with-azure-backup/ba-p/3986246
It's C and not A because: configuring multi-user authorization may not specifically prevent a compromised administrator account from deleting backups if the compromised account has sufficient permissions.
A : f you have a compromised administrator account, you should configure multi-user authorization by using Resource Guard for your vaults. This will prevent the admin from deleting the backups without the approval of another user who owns the Resource Guard. A security PIN is not sufficient to protect your backups, as the compromised admin may be able to access or reset the PIN
Here are the subtle differences in the question. Pay attention to disabled vs deleted backups As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations. Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. MUA protects against disabling backups and reducing retention for backups.
Only A works to ensure that a compromised administrator account cannot be used to delete the backups.
Using MUA make you "ensure that a compromised administrator account cannot be used to delete the backups." since it needs multiple admin check and mua can't be disabled by admin backup admin without security admin approval for mua operator role activation.. https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault#disable-mua-on-a-recovery-services-vault To disable MUA on a vault, follow these steps: The Backup admin requests the Security admin for Backup MUA Operator role on the Resource Guard. They can request this to use the methods approved by the organization such as JIT procedures, like Microsoft Entra Privileged Identity Management, or other internal tools and procedures. The Security admin approves the request (if they find it worthy of being approved) and informs the Backup admin. Now the Backup admin has the Backup MUA Operator role on the Resource Guard.
A is correct.
C. From a Recovery Services vault, generate a security PIN for critical operations
i think now the recommendation MUA for Azure Backup, so i go with A
Choice C is correct