You have a server named Server1 that runs Windows Server.You install a custom app named App1 that is accessed by using TCP port 52310.Users report that they cannot access App1.You confirm that App1 is running on Server1.You need to ensure that the users can access App1. The solution must only provide access to App1 on Server1.What should you do in Windows Defender Firewall with Advanced Security?
Answer(s): C
To provide secure access to an app using Windows Defender Firewall with Advanced Security, open the tool, select Inbound Rules, create a New Rule, choose Port as the rule type, select TCP, enter the app's specific port number in Specific local ports, choose to Allow the connection, and then select the appropriate network profiles.Finally, give the rule a descriptive name and click Finish to apply it.
https://learn.microsoft.com/en-us/sql/sql-server/install/configure-the-windows-firewall-to-allow-sql-server-access
HOTSPOT (Drag and Drop is not supported)You have an Azure subscription that contains an Azure key vault named Vault1.You deploy Azure Disk Encryption.You configure Vault1 to support Azure Disk Encryption.You need to ensure that you can encrypt Azure Disk Encryption artifacts before they are written to Vault1. The solution must provide the highest level of encryption.How should you complete the command? To answer, select the appropriate options in the answer area.Note: Each correct selection is worth one point.Hot Area:
Answer(s): A
Box 1: keyCreate and configure a key vault for Azure Disk Encryption on a Windows VMSet up a key encryption key (KEK)If you want to use a key encryption key (KEK) for an additional layer of security for encryption keys, add a KEK to your key vault. When a key encryption key is specified, Azure Disk Encryption uses that key to wrap the encryption secrets before writing to Key Vault.Use the Azure CLI az keyvault key create command to generate a new KEK and store it in your key vault.az keyvault key create --name "myKEK" --vault-name "<your-unique-keyvault-name>" --kty RSA --size 4096Box 2: RSA-HSMFor 4096-bit encryption choose RSA-HSM.Note: Which to chooseFor maximum key security: Always use an HSM (like EC-HSM or RSA-HSM) to protect your keys, regardless of the algorithm you choose.Key types and protection methodsKey Vault Premium and Standard support RSA and EC keys. Managed HSM supports RSA, EC, and symmetric keys.HSM-protected keys
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault https://learn.microsoft.com/en-us/azure/key-vault/keys/about-keys
HOTSPOT (Drag and Drop is not supported)You plan to deploy an Azure confidential virtual machine named VM1.You need to ensure that you can implement confidential disk encryption for VM1.What should you do? To answer, select the appropriate options in the answer area.Note: Each correct selection is worth one point.Hot Area:
Box 1: DCUse virtual machine seriesConfidential VMs support the following VM sizes:General Purpose without local disk: DCasv5-series, DCesv5-series General Purpose with local disk: DCadsv5-series, DCedsv5-series Memory Optimized without local disk: ECasv5-series, ECesv5-series Memory Optimized with local disk: ECadsv5-series, ECedsv5-seriesNVIDIA H100 Tensor Core GPU powered NCCadsH100v5-seriesBox 2: The operating system disk, data disks, and temporary disk Disks that can be encryptedConfidential OS disk encryptionAzure confidential VMs offer a new and enhanced disk encryption scheme. This scheme protects all critical partitions of the disk.Confidential temp disk encryptionYou can also extend the protection of confidential disk encryption to the temp disk. We enable this by leveraging an in-VM symmetric key encryption technology, after the disk is attached to the CVM.
https://learn.microsoft.com/en-us/azure/confidential-computing/confidential-vm-overview
HOTSPOT (Drag and Drop is not supported)Your network contains an on-premises Active Directory Domain Services (AD DS) domain. The domain contains the servers shown in the following table.For each server, Windows Defender Firewall is configured to allow only communication between servers on the same segment.Server1 has the following connection security rule:Name: Rule1Rule type: isolationRequirement: Require authentication for inbound connections and request authentication for outbound connectionsAuthentication method: Computer (Kerberos V5)Profile: Domain, Private, PublicServer2 does not have any connection security rules.Server3 has the following connection security rule:Name: Rule3Rule type: Server-to-serverEndpointsComputers in Endpoint 1: 192.168:5.0/24Computers in Endpoint 2: 192.168.1.0/24Requirement: Request authentication for inbound and outbound connections Authentication method: Computer (Kerberos V5)Profile: Domain, Private, PublicFor each of the following statements, select Yes if the statement is true. Otherwise, select No.Note: Each correct selection is worth one point.Hot Area:
Box 1: YesYes - Server1 can initiate communication with Server2 successfully.Server1 and Server2 is in the same network segment.The Server1 isolation connection security rule will allow communication between Server1 and Server2. Server1 has request authentication for outbound connections.Server2 has no connection security rules.Note: Windows Defender Firewall is configured to allow only communication between servers on the same segment.Box 2: YesYes - Server2 can initiate communication with Server3 successfully.Server2 and Server3 are in different network segments.Server2 has no connection security rules.Server3 has connection rule, where Computers in Endpoint cover the Server2 and server3 network segments. The connection rule has request authentication for inbound and outbound connections.Box 3: NoNo - Server3 can initiate communication with Server1 successfully.The Server1 isolation connection security rule will disallow communication between Server3 and Server1,Note: A Windows Defender Firewall isolation rule restricts communication and prevents it from traversing between different network segments by design, as its primary function is to isolate computers by limiting connections based on credentials. Instead of allowing broad communication, isolation rules are configured to enforce authentication and restrict connections only to other members of the same isolated domain or specified authentication exemptions.
https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows- firewall/rules
Your network contains an Active Directory Domain Services (AD DS) domain.You need to configure a ticket-granting ticket (TGT) lifetime for specific user and computer accounts. The solution must meet the following requirements:Minimize the impact on the other user and computer accounts in the domain.Minimize administrative effort.What should you configure?
To configure a specific TGT lifetime for selected users and computers in an Active Directory Domain Services (AD DS) domain, use the Authentication Policies and Authentication Policy Silos feature by creating an Authentication Policy, configuring its TGT lifetime, and then assigning it to an Authentication Policy Silo that contains the target user and computer accounts. This provides more granular control than the domain-wide Kerberos Policy settings in Group Policy.Here are the steps:1. Open Active Directory Administrative Center (ADAC): Open ADAC and navigate to the Authentication Policy Silos container.2. Create an Authentication Policy3. Create an Authentication Policy Silo4. Add Users and Computers to the Silo5. Assign the Authentication Policy to the Silo:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts
Your on-premises network contains an Active Directory Domain Services (AD DS) domain. The domain contains five servers that run Windows Server. The network also contains two workgroup servers that run Windows Server.You need to implement a connection security rule between the member servers and the workgroup servers.Which authentication method should you use?
For connection security rules between member servers and workgroup servers in an Active Directory (AD) domain, you should use Kerberos. The workgroup server needs to be able to authenticate with the domain, and the default and preferred protocol for this in an AD environment is Kerberos, which issues tickets for secure, ticket-based authentication.User (Kerberos V5) authentication versus Computer (Kerberos V5) authentication The core difference is who or what is authenticating to the network: User authentication verifies a human user's identity, typically using their password, while Computer (or host) authentication verifies the identity of a machine on the network, using its machine account credentials instead of a password. Both rely on the same underlying Kerberos V5 protocol for ticket-based authentication to a Key Distribution Center (KDC), but they use different principal names--username@REALM
https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
HOTSPOT (Drag and Drop is not supported)You have a server that runs Windows Server.You need to enable the following security features:Core isolationForce randomization form images (Mandatory ASLR)Which Windows Security tile should you use to enable each feature? To answer, select the appropriate options in the answer area.Note: Each correct selection is worth one point.Hot Area:
Box 1: Device SecurityCore isolationTo enable Core isolation (Memory Integrity) in Windows Server, open the Windows Security app and navigate to Device Security > Core Isolation Details. Toggle Memory Integrity to the On position and restart your computer for the change to take effect. Ensure your system firmware supports virtualization (UEFI mode is required) and that there are no incompatible drivers causing conflicts.Box 2: App & browser controlForce randomization form images (Mandatory ASLR)To force Address Space Layout Randomization (ASLR) for all executables on Windows Server, navigate to Windows Security > App & browser control > Exploit protection settings, and then set "Force randomization for images (Mandatory ASLR)" to "On by default". This setting applies system-wide but may cause compatibility issues with older applications that don't fully support ASLR.
https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of- code-integrity https://learn.microsoft.com/en-us/defender-endpoint/customize-exploit-protection
You have an Azure subscription that contains the Azure key vaults shown in the following table.You create a virtual machine that has the following configurations:Name: VM1Resource group: RG1Azure region: East USOperating system: Windows ServerYou need to enable Azure Disk Encryption for VM1.Which key vault can you use to store the encryption key for VM1?
Vault1 and Vault2 are in the same region as VM1.Note: When using Azure Disk Encryption (ADE), the Azure Key Vault that stores the encryption keys must be in the same Azure region and same Microsoft Entra tenant as the virtual machine (VM) to be encrypted. This is a requirement for ADE to control and manage the encryption keys for the VM's disks.
https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-key-vault
Share your comments for Microsoft AZ-801 exam with other users:
iam impressed with the quality of these dumps. they questions and answers were easy to understand and the xengine app was very helpful to use.