[Microsoft] AZ-801 - Windows Server Hybrid Admin Associate Exam Dumps & Study Guide

Free [Microsoft] AZ-801 - Windows Server Hybrid Admin Associate Practice Questions Preview

• Question 1

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
  You have a server named Server1 that runs Windows Server.
  You need to ensure that only specific applications can modify the data in protected folders on Server1.
  Solution: From Virus & threat protection, you configure Controlled folder access.
  Does this meet the goal?
  

  • A. Yes
  • B. No

  Correct Answer: A

  Explanation:

  The AI recommends answer A, which is Yes.
  Controlled Folder Access is a Windows Security feature that protects your data from ransomware and other malicious apps.
  It works by only allowing trusted apps to access protected folders.
  This aligns directly with the question's requirement to ensure only specific applications can modify data in protected folders.
  Configuring Controlled folder access from Virus & threat protection is the correct approach to achieve the desired outcome.

  • Reasoning for choosing A (Yes): Controlled Folder Access, when configured correctly, restricts which applications can access files in protected folders. This directly addresses the requirement of allowing only specific applications to modify data in those folders.
  • Reasoning for not choosing B (No): Choosing "No" would imply that Controlled Folder Access is not the correct solution. However, Controlled Folder Access is designed to limit folder access to trusted application, which directly addresses the need presented in the question.

  Citations:

  • Controlled folder access, https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folder-access

• Question 2

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
  You have a server named Server1 that runs Windows Server.
  You need to ensure that only specific applications can modify the data in protected folders on Server1.
  Solution: From Virus & threat protection, you configure Tamper Protection
  Does this meet the goal?
  

  • A. Yes
  • B. No

  Correct Answer: B

  Explanation:

  The AI agrees with the suggested answer.
  The suggested answer is B. No.
  Reasoning: Tamper Protection is a feature of Microsoft Defender Antivirus that protects the antivirus settings themselves from being modified by unauthorized or malicious applications. While it does protect certain system settings, it does not provide general protection for all data in protected folders, nor does it allow specifying which applications can modify data in those folders.
  Why other options are incorrect: Option A is incorrect because Tamper Protection does not meet the stated goal of ensuring that only specific applications can modify data in protected folders. It is specifically designed to protect Microsoft Defender Antivirus settings.

  Citations:
  • Manage Tamper Protection, https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings?view=o365-worldwide

• Question 3

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
  You have a server named Server1 that runs Windows Server.
  You need to ensure that only specific applications can modify the data in protected folders on Server1.
  Solution: From App & browser control, you configure the Exploit protection settings.
  Does this meet the goal?
  

  • A. Yes
  • B. No

  Correct Answer: B

  Explanation:

  The suggested answer is correct. The answer should be B (No).
  Reasoning:
  Exploit protection, while a security feature, is primarily designed to prevent malware from exploiting vulnerabilities in software. It does not directly control which specific applications can modify data in protected folders. The goal is to ensure only specific applications can modify data in protected folders. Exploit protection focuses on preventing exploits, not on application-level access control.
  To achieve the stated goal, one would typically use methods like:
  

  • File system permissions (NTFS permissions)
  • AppLocker
  • Windows Defender Application Control (WDAC)

  Exploit protection settings are configured within the "Virus & threat protection" section of Windows Security, further supporting its role in malware prevention rather than application-specific data access control. This is different from controlling which applications can write to protected folders.
  
  Why other options are incorrect:
  Option A (Yes) is incorrect because Exploit protection is not the appropriate mechanism for controlling which specific applications can modify data in protected folders. It is primarily for preventing exploitation of vulnerabilities.

• Question 4

  DRAG DROP -
  You have an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure Active Directory (Azure AD) tenant.
  The AD DS domain contains a domain controller named DC1. DC1 does NOT have internet access.
  You need to configure password security for on-premises users. The solution must meet the following requirements:
  ✑ Prevent the users from using known weak passwords.
  ✑ Prevent the users from using the company name in passwords.
  What should you do? To answer, drag the appropriate configurations to the correct targets. Each configuration may be used once, more than once, or not at all.
  You may need to drag the split bar between panes or scroll to view content.
  NOTE: Each correct selection is worth one point.
  Select and Place:
  
  

  Correct Answer: See interactive view.

  Explanation:

  The AI agrees with the suggested answer.
  To configure password security for on-premises users, while preventing them from using known weak passwords and the company name in passwords, the following steps are recommended:

  • On DC1 (the domain controller without internet access): Install the Azure AD Password Protection DC agent. This agent enforces password policies locally and filters out weak passwords.
  • On a server with internet access: Install the Azure AD Password Protection proxy service. The proxy service communicates with Azure AD to download the global banned password list and any custom banned password lists.
  • Configure Azure AD Password Protection. This involves setting up the custom banned password list (e.g., containing the company name) and configuring the password policy.

  Reasoning:
  The question specifies that DC1 does not have internet access, which necessitates a proxy server for communication with Azure AD. The DC agent, installed on DC1, enforces the password policies locally. The proxy service, installed on a server with internet access, downloads the necessary password lists from Azure AD. Configuring Azure AD Password Protection is crucial for defining the custom banned password list (company name) and overall password policy.
  

  Why other options are not suitable:
  Installing the Azure AD Connect health agent or enabling Azure AD Domain Services would not directly address the requirement of preventing users from using weak passwords or the company name in their passwords within the on-premises Active Directory environment. These options serve different purposes, such as monitoring directory synchronization and providing managed domain services in Azure, respectively. They do not offer the password protection features needed for this scenario. Installing the Azure AD password protection for Windows Server Active Directory agent on DC1 without the proxy server would not allow the agent to receive the global banned password list or any custom banned password lists from Azure AD because DC1 does not have the internet access.

  Therefore, the suggested answer is correct because it includes all the necessary components and configurations to meet the stated requirements.

  Citations:

  • How to deploy Azure AD Password Protection for Windows Server Active Directory, https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-ban-bad-on-premises-deploy

• Question 5

  HOTSPOT -
  The Default Domain Policy Group Policy Object (GPO) is shown in the GPO exhibit. (Click the GPO tab.)
  
  The members of a group named Service Accounts are shown in the Group exhibit. (Click the Group tab.)
  
  An organizational unit (OU) named ServiceAccounts is shown in the OU exhibit. (Click the OU tab.)
  
  You create a Password Settings Object (PSO) as shown in the PSO exhibit. (Click the PSO tab.)
  
  For each of the following statements, select Yes if the statement is true. Otherwise, select No.
  NOTE: Each correct selection is worth one point.
  Hot Area:
  
  

  Correct Answer: See interactive view.

  Explanation:

  Based on the provided information and the discussion summary, the AI agrees with the suggested answer: Yes, No, No.
  
  Here's a detailed reasoning for each statement:

  • Statement 1: The PSO applies to ServiceAccount1. This is TRUE (Yes).
    • Reason: ServiceAccount1 is a member of the "Service Accounts" group, and the PSO is applied to this group. Therefore, the password policy defined in the PSO will apply to ServiceAccount1.
  • Statement 2: The Default Domain policy applies to ServiceAccount2. This is TRUE (No).
    • Reason: ServiceAccount2 is NOT a member of the "Service Accounts" group. The PSO only applies to members of that group. Accounts not explicitly covered by a PSO will fall back to the Default Domain Policy.
  • Statement 3: A password length of 15 characters meets the requirements of the PSO. This is FALSE (No).
    • Reason: The PSO specifies a minimum password length of 16 characters. A password with a length of 15 characters does not meet this requirement.

  The following points support the reasoning:

  • Fine-Grained Password Policies (FGPPs) allow you to specify different password and account lockout policies for users and groups within a domain.
  • If a user is not subject to an FGPP, the Default Domain Policy applies.
  • PSOs take precedence over the Default Domain Policy for the users or groups they apply to.

  The documentation link provided confirms the ability to manage fine-grained password policies using the Active Directory Administrative Center.

  
  

  Citations:

  • Introduction to Active Directory Administrative Center Enhancements (Level 100), https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-#fine_grained_pswd_policy_mgmt

• Question 6

  DRAG DROP -
  Your network contains an Active Directory Domain Services (AD DS) domain.
  You need to implement a solution that meets the following requirements:
  ✑ Ensures that the members of the Domain Admins group are allowed to sign in only to domain controllers
  ✑ Ensures that the lifetime of Kerberos Ticket Granting Ticket (TGT) for the members of the Domain Admins group is limited to one hour
  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
  Select and Place:
  
  

  Correct Answer: See interactive view.

  Explanation:

  The AI agrees with the suggested answer.
  Here's a detailed explanation:

  The correct sequence of actions is:

  1. Configure the Kerberos Policy settings for the Default Domain Policy GPO.
  2. Create an authentication policy.
  3. Create an authentication policy silo.

  Reasoning:

  • Step 1: Configure Kerberos Policy Settings: This is the foundational step. The requirement is to limit the Kerberos Ticket Granting Ticket (TGT) lifetime for members of the Domain Admins group to one hour. This setting is configured within the Kerberos policy of a Group Policy Object (GPO). The Default Domain Policy GPO is a suitable place to configure domain-wide Kerberos settings.
    It is a required step to set the maximum lifetime for user ticket to 1 hour.
  • Step 2: Create an Authentication Policy: Authentication policies define restrictions on account usage. The requirement is to ensure that members of the Domain Admins group can only sign in to domain controllers. Authentication policies are used to control which computers a user can authenticate to. Thus, after configuring Kerberos policy, the next step is to create an authentication policy that restricts Domain Admins to signing in only to domain controllers.
    You must create the authentication policy before creating the silo, as the silo references the policy.
  • Step 3: Create an Authentication Policy Silo: Authentication policy silos provide a way to group accounts and apply authentication policies to them. The final step is to create an authentication policy silo, add the Domain Admins group to it, and associate the authentication policy created in the previous step. This enforces the restriction that Domain Admins can only sign in to domain controllers and that their TGT lifetime is limited to one hour.

  Why other sequences are incorrect:

  • Creating an authentication policy silo before creating the authentication policy is incorrect because the silo needs to reference the policy. You must define the policy before you can assign it to a silo.
  • Performing any of the steps out of order will prevent the solution from functioning correctly, as the dependencies between the steps must be respected.

  In summary, the suggested answer provides the correct sequence of steps to fulfill the requirements of limiting Domain Admins' TGT lifetime and restricting their sign-in to domain controllers using authentication policies and silos.

  Citations:

  • Authentication Policies and Authentication Policy Silos, https://learn.microsoft.com/en-us/windows-server/security/kerberos/authentication-policies-and-authentication-policy-silos

• Question 7

  You have an Azure virtual machine named VM1 that runs Windows Server.
  You plan to deploy a new line-of-business (LOB) application to VM1.
  You need to ensure that the application can create child processes.
  What should you configure on VM1?
  

  • A. Microsoft Defender Credential Guard
  • B. Microsoft Defender Application Control
  • C. Microsoft Defender SmartScreen
  • D. Exploit protection

  Correct Answer: D

  Explanation:

  The AI agrees with the suggested answer, which is D. Exploit protection.
  Reasoning: The question asks how to ensure an application can create child processes. Exploit protection is a Windows security feature that can be configured to prevent certain behaviors, including the creation of child processes by applications if those processes are deemed potentially harmful. By configuring Exploit protection, you can control whether or not the new LOB application can create child processes.
  Why other options are incorrect:

  • A. Microsoft Defender Credential Guard: Credential Guard is used to protect domain credentials by using virtualization-based security to isolate secrets. It does not directly control the creation of child processes.
  • B. Microsoft Defender Application Control: Application Control is used to control which applications can run on a system. While it can indirectly affect child processes by preventing the parent application from running, it is not the most direct way to control child process creation.
  • C. Microsoft Defender SmartScreen: SmartScreen is a cloud-based reputation service that helps protect users from phishing and malware. It does not directly control the creation of child processes.

  Suggested Answer: D. Exploit protection

  Below are the citations to support the answer:

  • Exploit protection, https://learn.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection

• Question 8

  HOTSPOT -
  Your network contains an Active Directory Domain Services (AD DS) domain named contoso.com. The domain contains the organizational units (OUs) shown in the following table.
  
  In the domain, you create the Group Policy Objects (GPOs) shown in the following table.
  
  You need to implement IPsec authentication to ensure that only authenticated computer accounts can connect to the members in the domain. The solution must minimize administrative effort.
  Which GPOs should you apply to the Domain Controllers OU and the Domain Servers OU? To answer, select the appropriate options in the answer area.
  NOTE: Each correct selection is worth one point.
  Hot Area:
  
  

  Correct Answer: See interactive view.

  Explanation:

  The AI agrees with the suggested answer.
  The suggested answer recommends applying GPO1 to both the Domain Controllers OU and the Domain Servers OU.
  
  The reason for this recommendation is that GPO1 enforces Kerberos V5 authentication, which is the most suitable method for ensuring that only authenticated computer accounts can connect to members within the domain. Kerberos V5 is deeply integrated with Active Directory and provides a secure and efficient authentication mechanism. It minimizes administrative effort because it leverages the existing domain infrastructure for authentication.
  
  Here's a breakdown:
  

  • Domain Controllers OU: Applying GPO1 to this OU ensures that all domain controllers require Kerberos V5 authentication for communication. This secures the core infrastructure of the Active Directory domain.
  • Domain Servers OU: Applying GPO1 to this OU ensures that all domain servers also require Kerberos V5 authentication. This secures the resources hosted on these servers and ensures that only authenticated computers can access them.

  The question requires minimizing administrative effort and ensuring only authenticated computer accounts can connect. Kerberos V5 satisfies these requirements effectively by leveraging the existing AD infrastructure.
  
  Reasons for not selecting other GPOs:

  • GPO2 (Require certificate authentication): Certificate authentication, while secure, involves more administrative overhead for certificate issuance, renewal, and management. This contradicts the requirement to minimize administrative effort.
  • GPO3 (Allow unauthenticated connections): Allowing unauthenticated connections directly violates the core requirement of ensuring that only authenticated computer accounts can connect.

  Suggested Answer:
  Apply GPO1 to Domain Controllers OU and Domain Servers OU.

  
  Citations:

  • Configure Authentication Methods, https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/configure-authentication-methods

• Question 9

  You have 100 Azure virtual machines that run Windows Server. The virtual machines are onboarded to Microsoft Defender for Cloud.
  You need to shut down a virtual machine automatically if Microsoft Defender for Cloud generates the "Antimalware disabled in the virtual machine" alert for the virtual machine.
  What should you use in Microsoft Defender for Cloud?
  

  • A. a logic app
  • B. a workbook
  • C. a security policy
  • D. adaptive network hardening

  Correct Answer: A

  Explanation:

  Based on the question and discussion, the AI agrees with the suggested answer of A (a logic app).
  The primary reason for choosing a logic app is its ability to automate actions in response to specific triggers, such as security alerts generated by Microsoft Defender for Cloud. In this scenario, the requirement is to automatically shut down a virtual machine when Defender for Cloud generates the "Antimalware disabled in the virtual machine" alert. Logic Apps provide the necessary automation capabilities to achieve this.
  Other options are not suitable for the following reasons:

  • B. A workbook is primarily used for visualizing data and creating reports. It cannot trigger automated actions based on alerts.
  • C. A security policy defines security configurations and standards. While it can help prevent security issues, it cannot automatically respond to specific alerts by shutting down a VM.
  • D. Adaptive network hardening is a feature that recommends and configures network security group rules. It doesn't have the capability to automatically shut down VMs based on alerts.

  Therefore, a Logic App is the most appropriate choice for automating the shutdown of a VM in response to a specific Microsoft Defender for Cloud alert.

• Question 10

  You have a Microsoft Sentinel deployment and 100 Azure Arc-enabled on-premises servers. All the Azure Arc-enabled resources are in the same resource group.
  You need to onboard the servers to Microsoft Sentinel. The solution must minimize administrative effort.
  What should you use to onboard the servers to Microsoft Sentinel?
  

  • A. Azure Automation
  • B. Azure Policy
  • C. Azure virtual machine extensions
  • D. Microsoft Defender for Cloud

  Correct Answer: B

  Explanation:

  Based on the question's requirements to minimize administrative effort when onboarding 100 Azure Arc-enabled servers to Microsoft Sentinel, and considering the discussion consensus, the suggested answer B (Azure Policy) is correct.
  
  Reasoning:

  • Azure Policy enables you to assess settings inside machines. Azure Policy includes a built-in policy definition to audit Windows and Linux VMs that aren't sending security event logs to the Log Analytics workspace.
  • By using Azure Policy, you can enforce that all Azure Arc-enabled servers within a resource group are configured to send security logs to the designated Log Analytics workspace required by Microsoft Sentinel. This significantly reduces the manual effort required to onboard each server individually.

  
  Reasons for not choosing other options:

  • Azure Automation: While Azure Automation can be used to configure servers, it typically requires more manual configuration and scripting compared to Azure Policy, especially when dealing with a large number of servers. It is also not natively designed for continuous compliance monitoring like Azure Policy.
  • Azure virtual machine extensions: VM extensions are primarily for post-deployment configuration and management within individual VMs. Applying extensions to 100 servers individually would be time-consuming and not aligned with minimizing administrative effort. Although VM extensions can be applied at scale using Azure Policy, the policy itself is the core mechanism providing the centralized management.
  • Microsoft Defender for Cloud: Defender for Cloud enhances the security posture of cloud and on-premises workloads, including recommendations for onboarding to Microsoft Sentinel. While it provides valuable security insights and recommendations, it does not directly automate the onboarding process to the same extent as Azure Policy. It often works in conjunction with Azure Policy to implement its recommendations.

  
  Using Azure Policy ensures consistent configuration and reduces the administrative burden associated with onboarding a large number of servers to Microsoft Sentinel.

  
  Citations:

  • Azure Policy Guest Configuration, https://learn.microsoft.com/en-us/azure/governance/policy/concepts/guest-configuration
  • Monitor security configurations at scale, https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitor-security-configuration