Exam SC-100 topic 5 question 11 discussion

From ChatGPT: For deleted backups, I would recommend using a security PIN for critical operations - to prevent a compromised administrator account from deleting the backups. This adds an additional layer of security to prevent unauthorized access to the backups. For disabled backups, I would recommend using Multi-user authorization by using Resource Guard - to prevent a compromised administrator account from disabling the backups. This allows you to specify which users are authorized to perform critical operations and limits the scope of potential attacks.

got this in exam 6oct23. passed with 896 marks. I answered 1. Soft delete of backups 2. Multi-user authorization by using Resource Guard

Deleted Backups: Soft delete of backups Azure Backup provides security features to help protect the backup data even after deletion. https://learn.microsoft.com/en-us/azure/backup/security-overview#soft-delete Disabled Backups on the MARS Agent: A security PIN for critical operations When data is backed up from on-premises servers with the MARS agent, data is encrypted with a passphrase. As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations for DPM, MABS, and MARS. https://learn.microsoft.com/en-us/azure/backup/security-overview#encryption-of-data https://learn.microsoft.com/en-us/azure/backup/backup-azure-security-feature#prevent-attacks When it comes to ransomware prevention, first enable the above critical security features. MUA is an additional layer of protection for the mentioned critical operations.

For deleted backups, the correct option is "Multi-user authorization by using Resource Guard". For disabled backups, the correct option is "Soft delete of backups".

Malicious delete protection: Protect against any accidental and malicious attempts for deleting your backups via soft delete of backups. The deleted backup data is stored for 14 days free of charge and allows it to be recovered from this state. Protected critical operations: Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults. Given answer is correct https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices

I would go (like others) for: Box 1 - MUA, because is more secure prevent than recover and its compatible from Azure Backup. Box 2 - PIN, it would be better MUA as well for this but because is triggered from MARS and disable with MUA from MARS is not natively supported , the next more secure would be PIN.

To address the risks mentioned in the image and follow Microsoft Security Best Practices, the appropriate selections are: Deleted backups: For protecting against a compromised administrator account deleting the backups, you should use Multi-user authorization by using Resource Guard. This ensures that critical operations, such as deleting backups, require multiple approvals, adding an extra layer of security. Disabled backups: For protecting against a compromised administrator account disabling the backups on the MARS agent, you should use A security PIN for critical operations. This requires a security PIN to perform critical operations, ensuring that even if an account is compromised, the backups cannot be easily disabled without the PIN. Thus, the selections are: Deleted backups: Multi-user authorization by using Resource Guard Disabled backups: A security PIN for critical operations

Finally found it. 1.Soft delete for backups. With soft-delete, if a user deletes the backup (of a VM, SQL Server database, Azure file share, SAP HANA database), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days retention of backup data in the soft delete state doesn't incur any cost. 2. MUA Azure Backup provides you with the Multi-User Authorization (MUA) feature to protect you from such rogue administrator attacks. Multi-user authorization helps protect against a rogue administrator performing destructive operations (that is, disabling soft-delete), by ensuring that every privileged/destructive operation is done only after getting approval from a security administrator. https://learn.microsoft.com/en-us/azure/backup/guidance-best-practices

Read question widely. It shows "Deleted backups" and "Disabled backups". So, your selections must provide a solution for those actions.. Not prevent actions like block deleting or disabling backup.. So, when risk of both backup deletion and disabling backup is success. What will you to? Box1: Soft delete of backups lets you restore "deleted" backups. Box2: Multi-user authorization lets you approve to perform to disable backup. So, action is not desired or controlled won't be performed by compromised admin account.

Given answer is correct. Key words are "design a recovery solution", not protecting.

Deleted backups - Security PIN Soft delete doesn't exist with MABS. Disabled - MUA by using Resource Guard

Why not both answers MUA? https://learn.microsoft.com/en-us/azure/backup/protect-backups-from-ransomware-faq#what-are-the-best-practices-to-configure-and-protect-azure-backups-against-security-and-ransomware-threats "We also recommend using Multi-user authorization (MUA) to protection critical operations on your Recovery Services vault. Ensure Multi-user authorization (MUA) is enabled to protect against rogue admin scenario. MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization."

1. Multi-user authorization by using Resource Guard MUA will prevent a single compromised admin account from deleting previously made backups. Some have suggested Soft Delete, but imo this will not mitigate the risk of the backups being deleted by a compromised admin account, however, it will increase the chance of recovery in the event of deletion happening (assuming < 14 days). I'd also guess that malicious actors would quietly wait for soft-deletes to expire before triggering the encryption. 2. Security PIN A Security PIN will help to prevent a compromised account from stopping protection at the MARS agent installed on the on-prem server. https://learn.microsoft.com/en-us/azure/backup/backup-azure-manage-mars#stop-protection-and-delete-backup-data Others have mentioned MUA, which I would agree to if this were disabling from the Azure Backups/Recovery Services Vault side, but the question mentioned disablement on the MARS agent. Happy to be corrected

Soft Delete isn't available for backups with MABS, so option 1 should be PIN, 2nd should be Resource Guard.

- Soft Delete - so a copy of the back is stored in the Recycle Bin for 14 Days which can be used to restore -Multi-user authorization by using Resource Guard - to ensure multiple authorization required for sensitive tasks

Review this below its the exact same question https://www.cert2brain.com/Server/Demo.aspx?exam=SC-100

As part of adding an extra layer of authentication for critical operations, you're prompted to enter a security PIN when you perform Stop Protection with Delete data and Change Passphrase operations. Multi-user authorization (MUA) for Azure Backup allows you to add an additional layer of protection to critical operations on your Recovery Services vaults and Backup vaults. For MUA, Azure Backup uses another Azure resource called the Resource Guard to ensure critical operations are performed only with applicable authorization. MUA protects against disabling backups and reducing retention for backups.