VBA Project security & "Back Door"

Posted on 2004-09-10
Last Modified: 2008-02-01
   OK. Maybe this has been discussed a million times. Or maybe the concept is so basic that anyone who knows how to write a MACRO should know it already. But since it is unknown to me and I couldn't find it in the PAQ's, here goes.

    Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.

    I had thought that the above method was probably secure enough because someone wanting to hack it would have to use a "brute fors" type of program and you could make it fairly secure by using a strong password. However I just came across a program called ******** ****** ** ******** ******** that uses a "back door" to either delete the password or set it to anything the user desires.

Any comments or thoughts?
Question by:will_scarlet7
LVL 57

Assisted Solution

by:Jim Dettman (Microsoft MVP/ EE MVE)
Jim Dettman (Microsoft MVP/ EE MVE) earned 100 total points
ID: 12027886
<<  Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.>>

  You can distribute a MDB as in MDE format, which removes all the source code.  However that does cause other problems.  Outside of that, no.  Access and VBA are both easily broken.  As you mentioned, there are many utilities out on the net to crack them.  

LVL 15

Author Comment

ID: 12028488
ThanX for the reply Jim!
    I have gotten so used to the ease of using MDB files instead of MDE's (especially since Access looses report formating so easily).  I also do programming in Excel & Word, so was more curious in the "general" aspect of the VBA project security.
    Is there really a known "back door" to the VBA Project password? Or is that just what the company calls their brute force attack?

Your input is appreciated, and if no one else feels the need to enter the discussion by tomorrow I will award you full points. Like I said above it is basically a leisurely, for info question from my perspective, but I have rarely seen questions older than a day generate much new input in this TA due to the sheer volume of questions.

God bless!
LVL 36

Expert Comment

ID: 12029857

anyone with local access to the system can potentially crack anything..vba, access security...even the machine administrator password..(and therefore possibly sql server integrated security)...i've got a nice linux based utility that fits on a floppy here that resets a win2k admin pwd to the network admin, i only use the tool for good..and keep it locked in the safe (not that it's not available on the internet) but you can see where this could be a problem with anything regarding all depends on time and how much effort they want to expend.

make things as difficult as possible and that's about all you can do...

One trick you can use for many passwords is to use special extended characters eg: alt-numpad-123

Most if not all brute force cracks can not deal with these chars (at least last time i checked) and your passwords remain safe(r)

note that some programs can't deal with them test it first...

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

LVL 15

Author Comment

ID: 12031093
ThanX Sid!
    I'm still fishing for one particular answer though (this is not to say your comment was not good and appreciated). Is this program really exploiting a "back door"? If so it does not seem like any clever passwords would be any better than jus using "me". I mean if the program can just delete or re-set the password without having to discover the old one, then...

Thank you for your input!

LVL 36

Accepted Solution

SidFishes earned 150 total points
ID: 12031398
Not sure of the specifics of the "feature" but as far as i can tell it's a true backdoor

"Professional Edition has an additional feature: VBA backdoor. With it, the password is not being recovered at all; however, you're able to open VBA project (to view/edit the code) after entering any password; of course, you should have the application (this document has been created with) installed."

I'm going to post a q on a security board i frequent and see if someone knows the exact mechanics of the "feature"

in the meantime let's sing!...

You say toMAYto I say toMAHto
You say poTAYto I say poTAHto
Microsoft says Feature I say Exploit

LVL 36

Expert Comment

ID: 12031405
All together now

...Let's call the whole thing off...

LVL 26

Assisted Solution

dannywareham earned 100 total points
ID: 12038902
I've found limited means of protecting my databases, but it basically means creating lots of security measures - its still not hack proof.

How I generally do it is:

1. Create a users table and use a function to return the computer login name (this can also be done with IP address)
2. Use VBA to check if the user exists - if not close the app.
3. Disable the bypasskey
4. Set a db password (easily broken)
5. Password protect all VBA
6. Distribute as MDE

As I say - still not perfect, as, if you crack the db password, you can import objects into a new db.

Unfortunately, as long as there are people wanting to break into anything (applications, code, property), there will always be this problem.

LVL 15

Author Comment

ID: 12041967
Hi Guys,
ThanX for joining in on the discussion! Your points were appreciated. I increased the total points, and gave 100 to both dannywareham & JDettman, and 150 to sid fishes for the info about the "back door".

God bless!

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction The Visual Basic for Applications (VBA) language is at the heart of every application that you write. It is your key to taking Access beyond the world of wizards into a world where anything is possible. This article introduces you to…
In Part II of this series, I will discuss how to identify all open instances of Excel and enumerate the workbooks, spreadsheets, and named ranges within each of those instances.
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question