# Minimum File & Registry Rights *For Advanced Users of The Satoshi Terminal* *** ### **Purpose and Scope** This document outlines the implementation, management, and best practices for configuring **Minimum File & Registry Rights** in The Satoshi Terminal. These rights are established to enforce **Principle of Least Privilege (PoLP)**, ensuring that processes, users, and applications access only the files and registry keys necessary for their function. This approach mitigates security risks, reduces attack surfaces, and ensures compliance with industry standards such as ISO/IEC 27001, NIST SP 800-53, and CIS Benchmarks. *** ### **Conceptual Framework** 1. **File System Access Rights:** * Defines granular permissions at the file and directory level. * Supports read, write, execute, and traversal permissions based on NTFS standards. 2. **Registry Rights Management:** * Regulates access to Windows Registry hives and keys. * Enforces secure defaults while enabling application-specific overrides. 3. **Dynamic Policy Enforcement:** * Monitors changes in file and registry permissions in real-time. * Automatically rolls back unauthorized modifications. *** ### **Key Objectives** * **Minimize Attack Surface:** Restrict access to critical resources, reducing exposure to malicious activity. * **Ensure Operational Integrity:** Prevent accidental or unauthorized modifications to essential files and registry entries. * **Maintain Compliance:** Align with regulatory and organizational security policies. *** ### **File Permissions Overview** #### **1. Permission Types** * **Read (R):** Allows viewing the contents of a file or directory. * **Write (W):** Grants the ability to modify file contents. * **Execute (X):** Permits execution of binary files or traversal of directories. * **Delete (D):** Allows deletion of files or directories. #### **2. Permission Levels** * **Full Control:** All permissions combined; generally restricted to administrators. * **Modify:** Grants read, write, and delete permissions. * **Read & Execute:** Combines read and execute for application compatibility. * **Write:** Limited to file or directory modification. *** ### **Registry Permissions Overview** #### **1. Registry Hives** * **HKEY\_LOCAL\_MACHINE (HKLM):** System-wide settings and configurations. * **HKEY\_CURRENT\_USER (HKCU):** User-specific settings. * **HKEY\_CLASSES\_ROOT (HKCR):** File type associations and COM objects. * **HKEY\_USERS (HKU):** Configuration data for all user accounts. * **HKEY\_CURRENT\_CONFIG (HKCC):** Current hardware profile configurations. #### **2. Access Levels** * **Query Value:** Read a registry key or value. * **Set Value:** Modify a registry value. * **Create Subkey:** Add a new key under an existing one. * **Delete:** Remove a registry key or value. * **Enumerate Subkeys:** List all subkeys under a given key. *** ### **Implementation Details** #### **1. File Rights Configuration** **1.1. Tools for Configuration** * **Windows File Explorer:** * Right-click a file or directory → **Properties** → **Security** tab → Configure permissions. * **Command-Line Tools:** * `icacls`: Modify and view permissions. * Example: ```bash icacls C:\SatoshiTerminal\logs /grant "Users:(R)" ``` * `takeown`: Take ownership of files.\ Example: ```bash takeown /f C:\SatoshiTerminal ``` **1.2. Recommended Permissions for The Satoshi Terminal** | Path | User Group | Permissions | Justification | | ---------------------------- | -------------- | ------------ | ---------------------------------------- | | `C:\SatoshiTerminal` | Administrators | Full Control | Required for installation and updates. | | `C:\SatoshiTerminal\configs` | System | Read & Write | Secure access to configuration files. | | `C:\SatoshiTerminal\logs` | Users | Read Only | Prevents unauthorized log modifications. | *** #### **2. Registry Rights Configuration** **2.1. Tools for Configuration** * **Registry Editor (regedit.exe):** * Navigate to a registry key → **Permissions** → Configure access. * **Command-Line Tools:** * `reg add` and `reg delete`: Modify registry keys. * Example: ```bash reg add HKLM\Software\SatoshiTerminal /v ConfigPath /t REG_SZ /d C:\SatoshiTerminal\configs ``` * **PowerShell:** * Example: ```powershell Set-ItemProperty -Path "HKLM:\Software\SatoshiTerminal" -Name "LogLevel" -Value "Error" ``` **2.2. Recommended Registry Key Permissions** | Key | User Group | Permissions | Purpose | | -------------------------------------- | -------------- | ------------- | --------------------------------------- | | `HKLM\Software\SatoshiTerminal` | Administrators | Full Control | Required for software management. | | `HKLM\Software\SatoshiTerminal\Config` | System | Read & Write | System-wide configuration access. | | `HKCU\Software\SatoshiTerminal` | Users | Read & Modify | User-specific preferences and settings. | *** ### **Dynamic Policy Enforcement** #### **1. Real-Time Monitoring** * Utilizes **Event Tracing for Windows (ETW)** to track changes in file and registry rights. * Monitors the following events: * Unauthorized `icacls` or `takeown` usage. * Registry key creation or deletion in protected paths. #### **2. Automatic Rollback** * Any unauthorized modification triggers: * Alert notifications via email/SMS. * Reversion of changes using stored baselines. #### **3. Policy Enforcement Tools** * **Group Policy Objects (GPOs):** * Centralized enforcement of file and registry permissions. * Example: Prevent non-admins from modifying `HKLM\Software\SatoshiTerminal`. *** ### **Best Practices** #### **1. General Guidelines** * Assign permissions to groups instead of individual users. * Avoid granting "Full Control" unless strictly necessary. * Regularly audit file and registry rights. #### **2. Hardening Recommendations** * Enable **Mandatory Integrity Control (MIC):** * Ensures that even trusted processes cannot escalate privileges arbitrarily. * Implement **AppLocker Policies:** * Restricts executable permissions based on file paths. *** ### **Advanced Troubleshooting** #### **1. Diagnostic Commands** * **List Effective Permissions:** ```bash icacls C:\SatoshiTerminal ``` * **View Registry ACLs:** ```powershell Get-Acl -Path "HKLM:\Software\SatoshiTerminal" ``` #### **2. Common Issues** * **"Access Denied" Errors:** * Verify that inheritance is enabled for subkeys or directories. * **Permissions Misconfiguration:** * Restore defaults using: ```bash icacls C:\SatoshiTerminal /reset ``` #### **3. Escalation Path** * Gather logs from Event Viewer under **Security** and **Application**. * Contact Level 2 support with detailed findings. *** By strictly adhering to the **Minimum File & Registry Rights** outlined in this document, you ensure that The Satoshi Terminal operates securely while reducing risks of unauthorized access or tampering. Proper configuration and ongoing management of these rights are critical to safeguarding sensitive cryptocurrency data and maintaining regulatory compliance. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.satoshiterminal.io/terminal/documentation/minimum-file-and-registry-rights.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.