Question 1mediummultiple choice
Read the full Design security solutions for infrastructure explanation →SC-100 Design security solutions for infrastructure • Complete Question Bank
Complete SC-100 Design security solutions for infrastructure question bank — all 0 questions with answers and detailed explanations.
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Network/networkSecurityGroups/securityRules"
},
"then": {
"effect": "deny",
"details": {
"field": "properties.destinationPortRange",
"notIn": ["22", "3389"]
}
}
}
}
}Storage account name: seccorpstorage Property: publicNetworkAccess = Disabled Property: defaultAction = Deny Property: networkRules.defaultAction = Deny Property: networkRules.ipRules = [] Property: networkRules.virtualNetworkRules = []
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2020-06-01",
"name": "nsg-frontend",
"properties": {
"securityRules": [
{
"name": "AllowHTTPS",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "443",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "10.0.1.0/24",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
}
]
}
}
]
}Refer to the exhibit.
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "modify",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"operations": [
{
"operation": "addOrReplace",
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.diskEncryptionSet.id",
"value": "/subscriptions/12345/resourceGroups/rg-keys/providers/Microsoft.Compute/diskEncryptionSets/des-production"
}
]
}
}
}
}
}Refer to the exhibit.
$rg = 'rg-network'
$vnet = 'vnet-prod'
$subnet = 'snet-app'
$nic = 'nic-app1'
$nsg = 'nsg-app'
# Create NSG
$nsgParams = @{
ResourceGroupName = $rg
Name = $nsg
Location = 'eastus'
}
$nsgObj = New-AzNetworkSecurityGroup @nsgParams
# Add rule to deny inbound from internet
$ruleParams = @{
Name = 'DenyInternetInbound'
Access = 'Deny'
Priority = 100
Direction = 'Inbound'
Protocol = '*'
SourceAddressPrefix = 'Internet'
SourcePortRange = '*'
DestinationAddressPrefix = '*'
DestinationPortRange = '*'
NetworkSecurityGroup = $nsgObj
}
Add-AzNetworkSecurityRuleConfig @ruleParams | Set-AzNetworkSecurityGroup
# Associate NSG with subnet
$vnetObj = Get-AzVirtualNetwork -ResourceGroupName $rg -Name $vnet
$subnetObj = $vnetObj.Subnets | Where-Object {$_.Name -eq $subnet}
$subnetObj.NetworkSecurityGroup = $nsgObj
Set-AzVirtualNetwork -VirtualNetwork $vnetObjRefer to the exhibit.
{
"type": "Microsoft.Web/sites/config",
"apiVersion": "2022-03-01",
"name": "webapp-config",
"properties": {
"ftpsState": "FtpsOnly",
"minTlsVersion": "1.2",
"http20Enabled": true,
"siteAuthSettings": {
"enabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "12345-abcde-..."
},
"ipSecurityRestrictions": [
{
"ipAddress": "192.168.0.0/24",
"action": "Allow",
"priority": 100,
"name": "AllowCorporateNetwork",
"description": "Allow corporate IP range"
},
{
"ipAddress": "Any",
"action": "Deny",
"priority": 200,
"name": "DenyAll",
"description": "Deny all other traffic"
}
]
}
}Refer to the exhibit.
{
"properties": {
"policyRule": {
"if": {
"field": "Microsoft.Sql/servers/auditingSettings/state",
"equals": "Disabled"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Sql/servers/auditingSettings",
"existenceCondition": {
"field": "Microsoft.Sql/servers/auditingSettings/state",
"equals": "Enabled"
},
"deployment": {
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Sql/servers/auditingSettings",
"name": "[concat(parameters('serverName'), '/default')]",
"apiVersion": "2021-02-01-preview",
"properties": {
"state": "Enabled",
"storageEndpoint": "[parameters('storageEndpoint')]"
}
}
]
}
}
}
}
}
},
"parameters": {
"storageEndpoint": {
"type": "String",
"metadata": {
"displayName": "Storage Endpoint"
}
},
"serverName": {
"type": "String",
"metadata": {
"displayName": "SQL Server Name"
}
}
}
}
}Refer to the exhibit.
$rg = Get-AzResourceGroup -Name 'InfrastructureRG'
$policy = Get-AzPolicyAssignment -Name 'RequireSQLEncryption'
$compliance = $policy.Properties.Scope | Get-AzPolicyState -ResourceGroupName $rg.ResourceGroupName
$compliance | Where-Object {$_.ComplianceState -eq 'NonCompliant'} | Format-Table ResourceId, ComplianceStateRefer to the exhibit. Set-AzContext -Subscription 'Production' $vnet = Get-AzVirtualNetwork -Name 'VNet-Prod' -ResourceGroupName 'RG-Prod' $subnet = Get-AzVirtualNetworkSubnetConfig -Name 'Subnet-DB' -VirtualNetwork $vnet $config = New-AzNetworkSecurityGroup -Name 'NSG-DB' -ResourceGroupName 'RG-Prod' -Location 'eastus' $rule = New-AzNetworkSecurityRuleConfig -Name 'AllowSQL' -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix '10.0.1.0/24' -SourcePortRange * -DestinationAddressPrefix '10.0.2.0/24' -DestinationPortRange 1433 $config | Add-AzNetworkSecurityRuleConfig -NetworkSecurityRule $rule Set-AzNetworkSecurityGroup -NetworkSecurityGroup $config Set-AzVirtualNetworkSubnetConfig -Name 'Subnet-DB' -VirtualNetwork $vnet -NetworkSecurityGroup $config $vnet | Set-AzVirtualNetwork
Refer to the exhibit.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"adminPassword": {
"reference": {
"keyVault": {
"id": "/subscriptions/.../resourceGroups/RG-KV/providers/Microsoft.KeyVault/vaults/KV-Prod"
},
"secretName": "VMAdminPassword"
}
}
}
}Refer to the exhibit.
{
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/osProfile.windowsConfiguration.enableAutomaticUpdates",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
}
}Refer to the exhibit. $rg = Get-AzResourceGroup -Name 'ProductionRG' $nsg = Get-AzNetworkSecurityGroup -ResourceGroupName $rg.ResourceGroupName -Name 'WebNSG' $nsg | Add-AzNetworkSecurityRuleConfig -Name 'AllowHTTP' -Access Allow -Protocol Tcp -Direction Inbound -Priority 100 -SourceAddressPrefix 'Internet' -SourcePortRange * -DestinationAddressPrefix 'VirtualNetwork' -DestinationPortRange 80 -Description 'Allow HTTP' $nsg | Set-AzNetworkSecurityGroup
Refer to the exhibit. SecurityEvent | where TimeGenerated > ago(7d) | where AccountType == "User" | where Activity == "4624" | where LogonType == 10 | summarize LogonAttempts = count() by Account, IPAddress | where LogonAttempts > 10
Refer to the exhibit.
```json
{
"properties": {
"status": "Active",
"activationMessage": "Approve access to Storage Account",
"approvalType": "Temporary",
"duration": "PT2H",
"justification": "Emergency troubleshooting",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c",
"startDateTime": "2024-03-01T10:00:00Z",
"expirationDateTime": "2024-03-01T12:00:00Z",
"memberType": "Direct",
"principalId": "12345678-1234-1234-1234-123456789abc",
"scope": "/subscriptions/abc123-def456-7890-abcd-ef1234567890/resourceGroups/Production/providers/Microsoft.Storage/storageAccounts/corpstorage"
}
}
```Refer to the exhibit. ```kql SecurityEvent | where TimeGenerated > ago(1h) | where EventID == 4625 | where AccountType == "User" | summarize Count = count() by Account, Computer, IpAddress | where Count > 10 | project Account, Computer, IpAddress, Count ```
Refer to the exhibit.
```json
{
"type": "Microsoft.Network/azureFirewalls",
"apiVersion": "2023-02-01",
"name": "hub-firewall",
"location": "eastus",
"properties": {
"sku": {
"name": "AZFW_VNet",
"tier": "Standard"
},
"applicationRuleCollections": [
{
"name": "allow-web",
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "allow-msft",
"sourceAddresses": ["10.0.0.0/16"],
"targetFqdns": ["*.microsoft.com"],
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
]
}
]
}
],
"networkRuleCollections": [],
"natRuleCollections": []
}
}
```{
"properties": {
"policyRule": {
"if": {
"anyOf": [
{
"field": "Microsoft.Sql/servers/administrators/type",
"equals": "ActiveDirectory"
}
]
},
"then": {
"effect": "deny"
}
}
}
}Get-AzKeyVault -VaultName 'ContosoVault' | Select-Object Name, ResourceGroup, Location, EnabledForDeployment, EnabledForDiskEncryption, EnabledForTemplateDeployment
SecurityEvent | where TimeGenerated > ago(1h) | where AccountType == 'User' | summarize count() by Account, Computer, EventID
{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deny",
"details": {
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/securityProfile.encryptionAtHost",
"equals": "false"
}
]
}
}
}
}
}Get-AzKeyVaultManagedHsm -HsmName 'contoso-hsm' -ResourceGroupName 'RG1'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2023-01-01",
"name": "[parameters('storageAccountName')]",
"location": "[resourceGroup().location]",
"kind": "StorageV2",
"sku": {
"name": "Standard_GRS"
},
"properties": {
"minimumTlsVersion": "TLS1_2",
"supportsHttpsTrafficOnly": true
}
}
]
}{
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
"exists": "true"
}
]
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
"notIn": ["Standard_LRS", "Premium_LRS"]
}
}
},
"parameters": {}
}
}Get-AzSqlDatabaseVulnerabilityAssessmentRuleBaseline -ResourceGroupName 'rg-sql' -ServerName 'sqlsrv01' -DatabaseName 'sqldb01' -BaselineName 'default' -RuleId 'VA2108'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2021-02-01",
"name": "nsg-backend",
"location": "[resourceGroup().location]",
"properties": {
"securityRules": [
{
"name": "DenyAllInbound",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 1000,
"direction": "Inbound"
}
},
{
"name": "AllowHTTPFromFrontend",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "10.0.1.0/24",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
}
]
}
}
]
}Refer to the exhibit.
```json
{
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk.storageAccountType",
"notEquals": "Premium_LRS"
}
]
},
"then": {
"effect": "deny"
}
}
}
}
```Refer to the exhibit. ``` $workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName 'RG-Sentinel' -Name 'LAW-Sentinel' $analyticsRule = Get-AzSentinelAlertRule -ResourceGroupName 'RG-Sentinel' -WorkspaceName $workspace.Name -RuleName 'MFA Disabled' $analyticsRule | Format-List RuleName : MFA Disabled Enabled : True Severity : Medium Query : IdentityLogonEvents | where MfaDetail == "none" TriggerThreshold : 5 TriggerOperator : GreaterThan ```
Refer to the exhibit.
```bicep
resource sqlServer 'Microsoft.Sql/servers@2021-11-01' = {
name: 'sql-${uniqueString(resourceGroup().id)}'
location: resourceGroup().location
properties: {
administratorLogin: 'adminuser'
administratorLoginPassword: 'P@ssw0rd1234'
minimalTlsVersion: '1.2'
publicNetworkAccess: 'Disabled'
}
}
```{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2023-09-01",
"name": "nsg-web",
"properties": {
"securityRules": [
{
"name": "AllowHTTP",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "80",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "*",
"access": "Allow",
"priority": 100,
"direction": "Inbound"
}
},
{
"name": "DenyAllOther",
"properties": {
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "*",
"sourceAddressPrefix": "*",
"destinationAddressPrefix": "*",
"access": "Deny",
"priority": 1000,
"direction": "Inbound"
}
}
]
}
}{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2023-09-01",
"name": "nsg-db",
"properties": {
"securityRules": [
{
"name": "DenySQLFromInternet",
"properties": {
"protocol": "Tcp",
"sourcePortRange": "*",
"destinationPortRange": "1433",
"sourceAddressPrefix": "Internet",
"destinationAddressPrefix": "VirtualNetwork",
"access": "Deny",
"priority": 100,
"direction": "Inbound"
}
}
]
}
}
]
}{
"properties": {
"displayName": "Deny public IP on NICs",
"policyType": "Custom",
"mode": "All",
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/networkInterfaces"
},
{
"field": "Microsoft.Network/networkInterfaces/ipConfigurations[*].publicIPAddress.id",
"exists": "true"
}
]
},
"then": {
"effect": "Deny"
}
}
}
}{
"properties": {
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "deny",
"details": {
"field": "Microsoft.Compute/virtualMachines/networkProfile.networkInterfaces[*].id"
}
}
}
}
}{
"properties": {
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.managedDisk",
"exists": "false"
}
]
},
"then": {
"effect": "deny"
}
}
}
}