Merge pull request #35664 from VanMSFT/20251028_addRisk

prmerger-automator[bot] · web-flow · commit 9975631ec63d · 2025-10-28T20:40:30.000Z
Adding risk to ext account
diff --git a/docs/sql-server/azure-arc/configure-windows-accounts-agent.md b/docs/sql-server/azure-arc/configure-windows-accounts-agent.md
@@ -87,6 +87,18 @@ The extension also grants permissions to instance and database objects as featur
 > [!NOTE]  
 > Minimum permissions depend on enabled features. The extension updates permissions when they're no longer necessary. It grants necessary permissions when you enable features.
 
+### `NT Service\SQLServerExtension` account permission details
+
+| Registry Path | Permission | The associated risk on permissions if the `NT Service\SQLServerExtension` account is compromised |
+| :--- | :--- | :--- |
+| `SOFTWARE\Microsoft\Microsoft SQL Server` | Read | Extension can see which SQL Server versions are installed. |
+| `SOFTWARE\Microsoft\Microsoft SQL Server\\MSSQLSERVER` | Full control | Only needed when Microsoft Entra authentication or Purview is enabled. Extension could modify SQL Server configuration. |
+| `SOFTWARE\Microsoft\SystemCertificates` | Full control | Only needed when Microsoft Entra authentication is enabled. Extension could replace trusted root certificate authorities. |
+| `SYSTEM\CurrentControlSet\Services` | Read | Extension can see service account names. |
+| `SOFTWARE\Microsoft\AzureDefender\SQL` | Read | Extension can learn Microsoft Defender status and update times. |
+| `SOFTWARE\Microsoft\SqlServerExtension` | Full control | Extension could change extension settings. |
+| `SOFTWARE\Policies\Microsoft\Windows` | Read and Write | Only needed when [Auto update](update.md) is enabled. Extension could change Windows Update policies and disable Device Guard, which controls code integrity and virtualization-based security, extended exposure due to missed patches. |
+
 ## SQL privileges by feature
 
 The following table lists the default behavior for the features that control permissions granted by the Azure Extension for SQL Server:
@@ -285,4 +297,4 @@ Currently, the following feature uses just-in-time permissions:
 
 ## Related content
 
-- [Configure Windows service accounts and permissions](../../database-engine/configure-windows/configure-windows-service-accounts-and-permissions.md)
+- [Configure Windows service accounts and permissions](../../database-engine/configure-windows/configure-windows-service-accounts-and-permissions.md)
