Examice

Exam SC-100 All QuestionsBrowse all questions from this exam

Question 165

HOTSPOT

You have an Azure subscription and an on-premises datacenter. The datacenter contains 100 servers that run Windows Server. All the servers are backed up to a Recovery Services vault by using Azure Backup and the Microsoft Azure Recovery Services (MARS) agent.

You need to design a recovery solution for ransomware attacks that encrypt the on-premises servers. The solution must follow Microsoft Security Best Practices and protect against the following risks:

• A compromised administrator account used to delete the backups from Azure Backup before encrypting the servers

• A compromised administrator account used to disable the backups on the MARS agent before encrypting the servers

What should you use for each risk? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Correct Answer:

Discussion

MaciekMT

From ChatGPT: For deleted backups, I would recommend using a security PIN for critical operations - to prevent a compromised administrator account from deleting the backups. This adds an additional layer of security to prevent unauthorized access to the backups. For disabled backups, I would recommend using Multi-user authorization by using Resource Guard - to prevent a compromised administrator account from disabling the backups. This allows you to specify which users are authorized to perform critical operations and limits the scope of potential attacks.

Devon

同意します。削除：PIN 無効：リソースガード

Cock

66666You can speak Japanese. That's cool

KallMeDan

Would agree here since soft delete will still allow deletion. Security PIN is the preventative control in compromised identity.

Ramye

ChatGPT may not be reliable. It's not on this question..

cyber_sa

got this in exam 6oct23. passed with 896 marks. I answered 1. Soft delete of backups 2. Multi-user authorization by using Resource Guard

Intrudire

Deleted Backups: Soft Delete Disabled Backups: Resource Guard https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq I don't exactly know how this reconciles with all the previous questions saying PIN was a configuration protection mechanism.

billy22

Ensure soft delete is enabled to protect backups from accidental or malicious deletes Soft delete is enabled by default on a newly created Recovery Services vault. It protects backup data from accidental or malicious deletes for 14 days at no additional cost, allowing the recovery of that backup item before it’s permanently lost. We recommend not to disable this feature. If backups are deleted and soft delete isn’t enabled, you or Microsoft can’t recover the deleted backup data. Use Multi-user authorization (MUA) as an additional layer of protection for these critical operations on your Recovery Services vault to validate operation before disabling this feature. Ensure Multi-user authorization (MUA) is enabled to protect against rogue admin scenario. MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization.

cris_exam

Why not both answers MUA? https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats "We also recommend using Multi-user authorization (MUA) to protection critical operations on your Recovery Services vault. Ensure Multi-user authorization (MUA) is enabled to protect against rogue admin scenario. MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization."

emartiy

Read question widely. It shows "Deleted backups" and "Disabled backups". So, your selections must provide a solution for those actions.. Not prevent actions like block deleting or disabling backup.. So, when risk of both backup deletion and disabling backup is success. What will you to? Box1: Soft delete of backups lets you restore "deleted" backups. Box2: Multi-user authorization lets you approve to perform to disable backup. So, action is not desired or controlled won't be performed by compromised admin account.

lt9898

1. Multi-user authorization by using Resource Guard MUA will prevent a single compromised admin account from deleting previously made backups. Some have suggested Soft Delete, but imo this will not mitigate the risk of the backups being deleted by a compromised admin account, however, it will increase the chance of recovery in the event of deletion happening (assuming < 14 days). I'd also guess that malicious actors would quietly wait for soft-deletes to expire before triggering the encryption. 2. Security PIN A Security PIN will help to prevent a compromised account from stopping protection at the MARS agent installed on the on-prem server. https://learn.microsoft.com/en-us/azure/backup/backup-azure-manage-mars#stop-protection-and-delete-backup-data Others have mentioned MUA, which I would agree to if this were disabling from the Azure Backups/Recovery Services Vault side, but the question mentioned disablement on the MARS agent. Happy to be corrected

smanzana

1. Soft delete of backups 2. Multi-user authorization by using Resource Guard

ConanBarb

Deleted backups: Multi-user authorization So this is about the service in Azure. Not the servers on-prem. https://learn.microsoft.com/en-us/azure/backup/multi-user-authorization?tabs=azure-portal&pivots=vaults-recovery-services-vault Search for: "For example, disabling soft delete is depicted here" Disabled backups: security PIN It's critical to note here that this is about the MARS agent, i.e. on the server "A compromised administrator account used to disable the backups on the MARS agent before encrypting the servers". Not anything on Azure. This guide explains how to manage and protect the MARS agent, and includes setting the PIN. https://learn.microsoft.com/en-us/azure/backup/backup-azure-manage-mars

Mithu94

Given answer is correct. Key words are "design a recovery solution", not protecting.

Nian

Still Soft Delete is for workloads running in Azure only - not on-prem server backups with MARS agents https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature For me: 1. Security PIN 2. MUA

Cleggs

Soft Delete isn't available for backups with MABS, so option 1 should be PIN, 2nd should be Resource Guard.

Mnguyen0503

MARS or MABS still use Recovery Vault Service to store their backup. Soft delete is enabled by default under the Recovery Vault Properties. You don't enable it when setting up the backup job itself. So your statement is wrong. Soft Delete is the correct answer.

mohamad.awawdeh2000

To address the risks mentioned in the image and follow Microsoft Security Best Practices, the appropriate selections are: Deleted backups: For protecting against a compromised administrator account deleting the backups, you should use Multi-user authorization by using Resource Guard. This ensures that critical operations, such as deleting backups, require multiple approvals, adding an extra layer of security. Disabled backups: For protecting against a compromised administrator account disabling the backups on the MARS agent, you should use A security PIN for critical operations. This requires a security PIN to perform critical operations, ensuring that even if an account is compromised, the backups cannot be easily disabled without the PIN. Thus, the selections are: Deleted backups: Multi-user authorization by using Resource Guard Disabled backups: A security PIN for critical operations

deadheadx

Finally found it. 1.Soft delete for backups. With soft-delete, if a user deletes the backup (of a VM, SQL Server database, Azure file share, SAP HANA database), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days retention of backup data in the soft delete state doesn't incur any cost. 2. MUA Azure Backup provides you with the Multi-User Authorization (MUA) feature to protect you from such rogue administrator attacks. Multi-user authorization helps protect against a rogue administrator performing destructive operations (that is, disabling soft-delete), by ensuring that every privileged/destructive operation is done only after getting approval from a security administrator. https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices

wsrudmen

Deleted backups - Security PIN Soft delete doesn't exist with MABS. Disabled - MUA by using Resource Guard

Ramye

- Soft Delete - so a copy of the back is stored in the Recycle Bin for 14 Days which can be used to restore -Multi-user authorization by using Resource Guard - to ensure multiple authorization required for sensitive tasks

Murtuza

Review this below its the exact same question https://www.cert2brain.com/Server/Demo.aspx?exam=SC-100

Murtuza

As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations. Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. MUA protects against disabling backups and reducing retention for backups.

rishiraval007

Deleted backups: C. Multi-user authorization by using Resource Guard Resource Guard is a feature in Azure Backup that can provide an additional layer of protection for your backup data. It requires more than one person (multi-user authorization) to perform critical operations like deleting backup data, which helps protect against the risk of a compromised administrator account being used to delete backups. Disabled backups: D. Soft delete of backups Soft delete provides a retention period for deleted backups, meaning that even if backups are deleted (either accidentally or maliciously), they are retained for a set period (by default 14 days) and can be recovered during that time. This can protect against a compromised account attempting to disable backups on the MARS agent before encrypting the servers, as you would still have a window to recover those backups.