Microsoft Cybersecurity Architect — Question 9
You have an Azure AD tenant that syncs with an Active Directory Domain Services (AD DS) domain. Client computers run Windows and are hybrid-joined to Azure AD.
You are designing a strategy to protect endpoints against ransomware. The strategy follows Microsoft Security Best Practices.
You plan to remove all the domain accounts from the Administrators groups on the Windows computers.
You need to recommend a solution that will provide users with administrative access to the Windows computers only when access is required. The solution must minimize the lateral movement of ransomware attacks if an administrator account on a computer is compromised.
What should you include in the recommendation?
Answer options
- A. Local Administrator Password Solution (LAPS)
- B. Azure AD Identity Protection
- C. Azure AD Privileged Identity Management (PIM)
- D. Privileged Access Workstations (PAWs)
Correct answer: A
Explanation
The Local Administrator Password Solution (LAPS) is the correct recommendation because it provides a way to manage local admin passwords on Windows machines securely, ensuring that each computer has a unique password that is regularly updated. This minimizes the risk of lateral movement for ransomware attacks since even if one admin account is compromised, the password is not the same across other devices. The other options, while beneficial for security, do not specifically address the need for minimizing admin access and protecting against ransomware in the same targeted manner as LAPS.