CCNA Security Infrastructure Solutions Questions

6 of 231 questions · Page 4/4 · Security Infrastructure Solutions topic · Answers revealed

226
MCQeasy

Your organization uses Microsoft Purview to classify data assets. You need to design a solution that automatically scans data sources in Azure SQL Database for sensitive information. Which Purview scanner should you configure?

A.Azure SQL Scanner (Purview)
B.Purview scanning rule set for Azure SQL Database
C.Purview Insights
D.Microsoft Defender for SQL
AnswerB

Purview can scan Azure SQL Database using built-in scanning rule sets.

Why this answer

Option C is correct because Purview's scanning capability supports Azure SQL Database natively. Option A is wrong because Purview does not have a scanner named 'Azure SQL Scanner'; it uses the built-in scan. Option B is wrong because Microsoft Defender for SQL is a security product, not a classification scanner.

Option D is wrong because Purview Insights is a reporting feature.

227
Multi-Selecthard

Your organization is implementing a defense-in-depth strategy for a multi-tier application hosted on Azure. You need to secure the network layers. Which THREE measures should you implement?

Select 3 answers
A.Enable Azure DDoS Protection on the virtual network.
B.Configure Azure Front Door to protect the application layer.
C.Implement Azure Firewall for traffic inspection and filtering.
D.Deploy a site-to-site VPN gateway.
E.Use network security groups (NSGs) to control traffic between subnets.
AnswersA, C, E

DDoS Protection is a key network security layer.

Why this answer

Option B is correct because Azure Firewall provides centralized inbound and outbound traffic filtering. Option C is correct because network security groups (NSGs) provide micro-segmentation at the subnet or NIC level. Option D is correct because Azure DDoS Protection helps mitigate volumetric attacks.

Option A is wrong because a VPN gateway is for connectivity, not a network security layer. Option E is wrong because Azure Front Door is an application delivery and security service, but it is not a general network security layer for all tiers; it is more specific to web applications.

228
Multi-Selectmedium

You are designing a security solution for Azure SQL Database. The requirements include: encrypting data at rest and in transit, and masking sensitive data from non-privileged users. Which two features should you implement? (Choose two.)

Select 2 answers
A.Dynamic Data Masking
B.Azure Firewall
C.Transparent Data Encryption (TDE)
D.Column-level encryption
E.Always Encrypted
AnswersA, C

Masks sensitive data from non-privileged users.

Why this answer

Options A and B are correct: TDE encrypts data at rest, and Dynamic Data Masking hides sensitive data from non-privileged users. Option C is wrong because Always Encrypted protects data in transit between client and server but does not mask data. Option D is wrong because Azure Firewall is a network security service, not a database feature.

Option E is wrong because Transparent Data Encryption is at rest, not column-level.

229
MCQmedium

You are a security architect for a healthcare organization that is adopting Microsoft 365 and Azure. The organization must comply with HIPAA and has the following requirements: - All users must use multi-factor authentication (MFA) when accessing Microsoft 365 from outside the corporate network. - Mobile devices must be managed and must be compliant before accessing email. - Access to Azure virtual machines must be limited to specific admin users and must be audited. - All sensitive data stored in Azure SQL Database must be encrypted at rest and in transit. You have the following technologies: Microsoft Entra ID, Microsoft Intune, Azure SQL Database, Azure Policy, Azure Key Vault, Microsoft Defender for Cloud, and Azure Bastion. Which combination of services and configurations should you implement?

A.Configure Conditional Access to require MFA only for external access, use Intune for mobile device management, deploy Always Encrypted for Azure SQL Database, and use Azure AD Application Proxy for VM access.
B.Configure Microsoft Entra PIM for MFA, use Intune for mobile devices, deploy Azure VPN Gateway for VM access, and enable Double Encryption for Azure SQL Database.
C.Configure Conditional Access policies for MFA, use Intune compliance policies for mobile devices, deploy Azure Bastion for VM access with audit logging, and enable TDE and enforce TLS for Azure SQL Database.
D.Use Azure AD Identity Protection for MFA, use Microsoft Endpoint Manager for device compliance, deploy Azure Firewall for VM access, and use Azure Key Vault for SQL encryption keys.
AnswerC

Meets all requirements: MFA, device compliance, secure VM access, encryption.

Why this answer

Option B is correct: Conditional Access with MFA for external access; Intune compliance policies for mobile devices; Azure Bastion for secure VM access with audit; Transparent Data Encryption (TDE) for at-rest encryption and TLS for in-transit. Option A is incorrect: Always Encrypted is for column-level encryption, but TDE is simpler for HIPAA. Option C is incorrect: Azure AD Application Proxy is not for VM access.

Option D is incorrect: Azure Firewall does not provide audit for VM access.

230
MCQhard

Your organization is deploying Azure SQL Managed Instance (SQL MI) with sensitive financial data. You need to design a security solution that includes data encryption at rest and in transit, threat detection, and fine-grained access control. The solution must also ensure that database administrators (DBAs) cannot access the data. What should you include?

A.Enable TDE and use server-level firewall rules. Use SQL authentication. Enable auditing.
B.Enable TDE and Always Encrypted for sensitive columns. Use Azure AD authentication. Enable Microsoft Defender for Cloud (SQL) for threat detection. Use Azure Policy to deny DBA access.
C.Use client-side encryption with Always Encrypted. Use SQL authentication. Enable Advanced Threat Protection.
D.Enable TDE and use row-level security (RLS). Use Azure AD authentication. Enable Defender for SQL.
AnswerB

TDE encrypts at rest; Always Encrypted prevents DBAs from seeing column data; Azure AD auth eliminates shared passwords; Defender for Cloud detects threats.

Why this answer

Option D uses TDE for at-rest encryption, Always Encrypted for column-level encryption, Defender for Cloud for threat detection, and Azure AD authentication to prevent DBA access. Option A lacks Always Encrypted; Option B lacks column encryption; Option C uses client-side encryption incorrectly.

231
MCQmedium

Your organization is using Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. You need to ensure that all virtual machines in the subscriptions are monitored by Defender for Cloud and that security alerts are sent to the security operations team. You also need to enforce that any new VMs are automatically onboarded to Defender for Cloud. You have a Log Analytics workspace in the central subscription. What should you do?

A.Enable Defender for Cloud on each subscription and configure email notifications for alerts.
B.Assign an Azure Policy that deploys the Log Analytics agent to all VMs.
C.In Defender for Cloud, enable auto-provisioning for the Log Analytics agent at the management group level and specify the central workspace.
D.Create a Log Analytics workspace in each subscription and configure Defender for Cloud to use that workspace.
AnswerC

Auto-provisioning at management group level ensures all subscriptions are covered and new VMs are automatically onboarded.

Why this answer

Option C is correct because enabling auto-provisioning of the Log Analytics agent at the management group scope ensures all VMs across subscriptions are monitored and new VMs are automatically onboarded. Option A is wrong because configuring only the workspace does not auto-provision. Option B is wrong because Azure Policy can enforce agent deployment, but auto-provisioning is simpler and more direct.

Option D is wrong because enabling Defender for Cloud at the subscription level does not automatically install the agent.

← PreviousPage 4 of 4 · 231 questions total

Ready to test yourself?

Try a timed practice session using only Security Infrastructure Solutions questions.