I say D too.
B is a preventive control before ransomware attacks happen. The question here is asking how to limit the scope of damage if attack has happened. An emergency access account will prevent you from being locked out.
No, you don't understand the concept of PAWs. Their purpose is exactly to "limit the scope of damage" in case of an attack. Because privileged operations can only be made from PAWs, NOT from ANY other devices, including the compromised ones. A Domain Admin can only authenticate from a PAW, thus the attacker can NEVER get Domain Admin privileges, even if he has credentials of a Domain Admin.
Yeah, PAWs is great for protecting admin activities from compromise, but if they’re impacted, you could still be locked out without break‑glass accounts.
B is the answer.
https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices#device-roles-and-profiles
Privileged Access Workstation (PAW) – This is the highest security configuration designed for extremely sensitive roles that would have a significant or material impact on the organization if their account was compromised. The PAW configuration includes security controls and policies that restrict local administrative access and productivity tools to minimize the attack surface to only what is absolutely required for performing sensitive job tasks. This makes the PAW device difficult for attackers to compromise because it blocks the most common vector for phishing attacks: email and web browsing. To provide productivity to these users, separate accounts and workstations must be provided for productivity applications and web browsing. While inconvenient, this is a necessary control to protect users whose account could inflict damage to most or all resources in the organization.
In a ransomware response plan aligned with Microsoft Security Best Practices, one of the key recommendations is to ensure that your organization is not locked out of Azure AD or critical resources during an attack.
• Emergency access accounts (sometimes called "break-glass accounts") are:
• Highly privileged accounts created specifically for crisis scenarios.
• Stored securely and used only when normal administrative accounts are unavailable or compromised.
• Exempt from Conditional Access policies and MFA requirements to guarantee access even if identity systems are disrupted.
D. emergency access accounts
Emergency access accounts (also called break-glass accounts) are highly privileged accounts.
Excluded from Conditional Access policies and MFA enforcement to ensure access during outages or ransomware incidents.
https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
Privileged Access Workstations (PAWs) provide a secure environment for sensitive accounts by reducing the attack surface of the device. They are part of a holistic privileged access strategy but do not guarantee recovery if all accounts are locked out. Emergency access accounts are still required for business continuity.
https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-devices
B. Privileged Access Workstations (PAWs)
This recommendation will help mitigate the risks of ransomware attacks on privileged accounts without locking you out.
He said clearly " limit the scope of damage of ransomware attacks without being locked out", So the right one here should be D. Emergency Access Accounts".
https://learn.microsoft.com/en-us/azure/active-directory-b2c/tenant-management-emergency-access-account
If an attacker got Domain Admin privileges and deleted all my servers and all my AD accounts, how exactly does an 'emergency access account' help? Answer is clearly B.
I can see why some may confuse the 'break-glass' account to this question, but clearly asks to NOT be locked! Which means you've already had access to the environment, whatever that maybe. You don't need emergency account at that point.
ChatGPT: To limit the scope of damage of ransomware attacks without being locked out, you should recommend Privileged Access Workstations (PAWs).
Privileged Access Workstations (PAWs) are dedicated devices that are used to perform sensitive administrative tasks, such as configuring security settings and managing domain controllers. PAWs provide enhanced security by isolating administrative activities from regular user activities and by requiring multi-factor authentication and additional controls.
By using a PAW, administrators can perform sensitive tasks without exposing their credentials to the regular network or potentially malicious content, such as ransomware. This helps to limit the scope of damage of ransomware attacks while also maintaining access to critical systems. Therefore, option B is the correct answer.
ChatGPT says this now:
D. Emergency access accounts
Emergency access accounts are crucial for limiting the scope of damage during ransomware attacks without being locked out. These accounts are highly privileged, but they are only used in case of emergencies, such as when normal administrative access is unavailable. This ensures that you can maintain access to critical systems while working to contain and recover from a ransomware attack, following Microsoft Security Best Practices.
Device compliance policies (A) primarily focus on ensuring that devices meet security standards, which is preventive but not directly applicable for emergency response to ransomware.
Privileged Access Workstations (PAWs) (B) are used to isolate administrative tasks, but they don't help directly in recovering from a ransomware attack.
Customer Lockbox (C) is a feature for control over data access but is not related to mitigating ransomware attacks.
"Privileged Access Workstations (PAWs) (B) ... don't help directly in recovering from a ransomware attack."
Probably, but 'help in recovering from a ransomware attack' is not asked here, rather "limit the scope of damage of ransomware attacks", and that is what PAWs do. Actually not the PAWs, but the access tiering that requires the use of PAWs.
This section is not available anymore. Please use the main Exam Page.SC-100 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
aljdeguzman
Highly Voted 2 years, 7 months agobxlin
1 year, 5 months agoLuweho
4 months, 1 week agorvln7
3 months, 1 week agozellck
Highly Voted 2 years, 6 months agoHameet
Most Recent 3 hours, 55 minutes agoThe1BelowAll
1 month, 4 weeks agoLuweho
4 months, 1 week agoAli96
9 months, 4 weeks agobesoaus
1 year, 4 months agoLuweho
4 months, 1 week agocalotta1
2 years, 3 months agoMaciekMT
2 years, 7 months agoariania
1 year, 2 months agoLuweho
4 months, 1 week agojanesb
2 years, 7 months ago