Microsoft - AZ-801: Configuring Windows Server Hybrid Advanced Services
Sample Questions
Question: 202
Measured Skill: Secure Windows Server on-premises and hybrid infrastructures (25-30%)
You have an Azure subscription that contains an Azure key vault named Vault1.
You deploy Azure Disk Encryption.
You configure Vault1 to support Azure Disk Encryption.
You need to ensure that you can encrypt Azure Disk Encryption artifacts before they are written to Vault1. The solution must provide the highest level of encryption.
How should you complete the command?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: certificate
P2: EC |
| B | P1: certificate
P2: RSA |
| C | P1: key
P2: EC-HSM |
| D | P1: key
P2: RSA |
| E | P1: secret
P2: RSA-HSM |
| F | P1: secret
P2: EC-HSM |
Correct answer: DExplanation:
Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets.
If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. When a key encryption key (KEK) is specified, Azure Disk Encryption uses that key to wrap the encryption secrets (Azure Disk Encryption artifacts) before writing to Key Vault. Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.
Example:
az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096
Reference: Create and configure a key vault for Azure Disk Encryption on a Windows VM
Question: 203
Measured Skill: Secure Windows Server on-premises and hybrid infrastructures (25-30%)
You have a server that runs Windows Server.
You need to enable the following security features:
- Core isolation
- Force randomization form images (Mandatory ASLR)
Which Windows Security tile should you use to enable each feature?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Core isolation: App & browser control
Force randomization form images (Mandatory ASLR): Device security |
| B | Core isolation: Device security
Force randomization form images (Mandatory ASLR): Device security |
| C | Core isolation: Firewall & network protection
Force randomization form images (Mandatory ASLR): App & browser control |
| D | Core isolation: Virus & threat protection
Force randomization form images (Mandatory ASLR): Virus & threat protection |
| E | Core isolation: Device security
Force randomization form images (Mandatory ASLR): App & browser control |
| F | Core isolation: Device security
Force randomization form images (Mandatory ASLR): Firewall & network protection |
Correct answer: EExplanation:
Core isolation including Memory integrity is managed under the Device security tile in Windows Security.
To force Address Space Layout Randomization (ASLR) for all executables on Windows Server, navigate to Windows Security\ App & browser control\ Exploit protection settings, and then set "Force randomization for images (Mandatory ASLR)" to "On by default". This setting applies system-wide but may cause compatibility issues with older applications that don't fully support ASLR.
References:
Enable virtualization-based protection of code integrity
Customize exploit protection
Question: 204
Measured Skill: Secure Windows Server on-premises and hybrid infrastructures (25-30%)
Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains a server named Server1 that runs Windows Server and is in an organizational unit (OU) named OU1.
You have a Group Policy Object (GPO) that is linked to OU1 and has the Windows Defender SmartScreen settings shown in the following table.
You have the apps shown in the following table.
Which apps can you install on Server1?| A | App1 only |
| B | App1 and App2 only |
| C | App1 and App3 only |
| D | App1, App2, and App3 |
Correct answer: AExplanation:
You can configure Microsoft Defender SmartScreen to block suspicious content entirely, or show users a warning but allow them to continue to load the content.
The Configure Windows Defender SmartScreen setting allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.
Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.
If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:
- Warn and prevent bypass
- Warn
If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.
The Configure App Install Control setting is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.
If you enable this setting, you must choose from the following behaviors:
- Turn off app recommendations
- Show me app recommendations
- Warn me before installing apps from outside the Store
- Allow apps from Store only
If you disable or don't configure this setting, users will be able to install apps from anywhere, including files downloaded from the Internet.
Reference: Available Microsoft Defender SmartScreen settings
Question: 205
Measured Skill: Secure Windows Server on-premises and hybrid infrastructures (25-30%)
Your network contains an Active Directory Domain Services (AD DS) domain. The domain contains two users named User1 and User2 that are members of the Domain Admins group.
You need to harden security for the domain. The solution must meet the following requirements:
- Minimize risks associated with the Domain Admins group and privilege escalation on the domain.
- Ensure that the built-in administrator account can perform forest recovery operations.
- Reduce the attack surface of the Domain Admins groups.
- Follow the principle of least privilege.
How should you modify the Domain Admins group, and which user rights should you assign to the Domain Admins group?
(To answer, drag the appropriate options to the correct requirements. Each component may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)
| A | For the Domain Admins group: Add additional accounts.
User rights: User rights B |
| B | For the Domain Admins group: Add additional accounts.
User rights: User rights C |
| C | For the Domain Admins group: Remove the built-in administrator account.
User rights: User rights A |
| D | For the Domain Admins group: Remove the built-in administrator account.
User rights: User rights C |
| E | For the Domain Admins group: Remove all accounts except for the built-in administrator account.
User rights: User rights B |
| F | For the Domain Admins group: Remove all accounts except for the built-in administrator account.
User rights: User rights A |
Correct answer: EExplanation:
As is the case with the Enterprise Admins (EA) group, membership in the Domain Admins (DA) group should be required only in build or disaster recovery scenarios. There should be no day-to-day user accounts in the DA group with the exception of the built-in Administrator account for the domain.
To minimize risks associated with the Domain Admins group and privilege escalation on the domain and to ensure that the built-in administrator account can perform forest recovery operations, we should remove all accounts except for the built-in administrator account from the domain admins group. To reduce the risk of the built-in Administrator account gets compromised, we should rename the account using the Accounts:Rename administrator account security option.
In GPOs linked to OUs containing member servers and workstations in each domain, the DA group should be added to the following user rights in Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignments:
- Deny access to this computer from the network
- Deny log on as a batch job
- Deny log on as a service
- Deny log on locally
- Deny log on through Remote Desktop Services
Reference: Appendix F: Securing Domain Admins Groups in Active Directory
Question: 206
Measured Skill: Secure Windows Server on-premises and hybrid infrastructures (25-30%)
You have an Azure subscription. The subscription contains a virtual machine named VM1 that runs Windows Server.
You need to encrypt the disks connected to VM1 by using Azure Disk Encryption. The solution must use a key encryption key (KEK).
Which three actions should you perform in sequence?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.) 
| A | Sequence: 2, 3, 4 |
| B | Sequence: 2, 5, 6 |
| C | Sequence: 2, 1, 4 |
| D | Sequence: 2, 4, 6 |
Correct answer: DExplanation:
Azure Disk Encryption uses Azure Key Vault to control and manage disk encryption keys and secrets.
The first step is to create an Azure Key Vault.
The second step is to add a KEK to your key vault. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.
Use the Azure PowerShell Add-AzKeyVaultKey cmdlet to generate a new KEK and store it in your key vault as shown below:
Add-AzKeyVaultKey -Name "myKEK" -VaultName "<your-unique-keyvault-name>" -Destination "HSM" -Size 4096
To actually encrypt the disks, you will supply the ID of your KEK key Vault and the URL of your KEK to the Azure PowerShell Set-AzVMDiskEncryptionExtension -KeyEncryptionKeyVaultId and -KeyEncryptionKeyUrl parameters. This example assumes that you are using the same key vault for both the disk encryption key and the KEK.
$KeyVault = Get-AzKeyVault -VaultName "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup"
$KEK = Get-AzKeyVaultKey -VaultName "<your-unique-keyvault-name>" -Name "myKEK"
Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyVaultId $KeyVault.ResourceId -KeyEncryptionKeyUrl $KEK.Id -SkipVmBackup -VolumeType All
Reference: Create and configure a key vault for Azure Disk Encryption on a Windows VM