VBA Project security & "Back Door"

Posted on 2004-09-10
Last Modified: 2008-02-01
   OK. Maybe this has been discussed a million times. Or maybe the concept is so basic that anyone who knows how to write a MACRO should know it already. But since it is unknown to me and I couldn't find it in the PAQ's, here goes.

    Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.

    I had thought that the above method was probably secure enough because someone wanting to hack it would have to use a "brute fors" type of program and you could make it fairly secure by using a strong password. However I just came across a program called ******** ****** ** ******** ******** that uses a "back door" to either delete the password or set it to anything the user desires.

Any comments or thoughts?
Question by:will_scarlet7
LVL 57

Assisted Solution

by:Jim Dettman (Microsoft MVP/ EE MVE)
Jim Dettman (Microsoft MVP/ EE MVE) earned 100 total points
ID: 12027886
<<  Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.>>

  You can distribute a MDB as in MDE format, which removes all the source code.  However that does cause other problems.  Outside of that, no.  Access and VBA are both easily broken.  As you mentioned, there are many utilities out on the net to crack them.  

LVL 15

Author Comment

ID: 12028488
ThanX for the reply Jim!
    I have gotten so used to the ease of using MDB files instead of MDE's (especially since Access looses report formating so easily).  I also do programming in Excel & Word, so was more curious in the "general" aspect of the VBA project security.
    Is there really a known "back door" to the VBA Project password? Or is that just what the company calls their brute force attack?

Your input is appreciated, and if no one else feels the need to enter the discussion by tomorrow I will award you full points. Like I said above it is basically a leisurely, for info question from my perspective, but I have rarely seen questions older than a day generate much new input in this TA due to the sheer volume of questions.

God bless!
LVL 36

Expert Comment

ID: 12029857

anyone with local access to the system can potentially crack anything..vba, access security...even the machine administrator password..(and therefore possibly sql server integrated security)...i've got a nice linux based utility that fits on a floppy here that resets a win2k admin pwd to the network admin, i only use the tool for good..and keep it locked in the safe (not that it's not available on the internet) but you can see where this could be a problem with anything regarding all depends on time and how much effort they want to expend.

make things as difficult as possible and that's about all you can do...

One trick you can use for many passwords is to use special extended characters eg: alt-numpad-123

Most if not all brute force cracks can not deal with these chars (at least last time i checked) and your passwords remain safe(r)

note that some programs can't deal with them test it first...

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

LVL 15

Author Comment

ID: 12031093
ThanX Sid!
    I'm still fishing for one particular answer though (this is not to say your comment was not good and appreciated). Is this program really exploiting a "back door"? If so it does not seem like any clever passwords would be any better than jus using "me". I mean if the program can just delete or re-set the password without having to discover the old one, then...

Thank you for your input!

LVL 36

Accepted Solution

SidFishes earned 150 total points
ID: 12031398
Not sure of the specifics of the "feature" but as far as i can tell it's a true backdoor

"Professional Edition has an additional feature: VBA backdoor. With it, the password is not being recovered at all; however, you're able to open VBA project (to view/edit the code) after entering any password; of course, you should have the application (this document has been created with) installed."

I'm going to post a q on a security board i frequent and see if someone knows the exact mechanics of the "feature"

in the meantime let's sing!...

You say toMAYto I say toMAHto
You say poTAYto I say poTAHto
Microsoft says Feature I say Exploit

LVL 36

Expert Comment

ID: 12031405
All together now

...Let's call the whole thing off...

LVL 26

Assisted Solution

dannywareham earned 100 total points
ID: 12038902
I've found limited means of protecting my databases, but it basically means creating lots of security measures - its still not hack proof.

How I generally do it is:

1. Create a users table and use a function to return the computer login name (this can also be done with IP address)
2. Use VBA to check if the user exists - if not close the app.
3. Disable the bypasskey
4. Set a db password (easily broken)
5. Password protect all VBA
6. Distribute as MDE

As I say - still not perfect, as, if you crack the db password, you can import objects into a new db.

Unfortunately, as long as there are people wanting to break into anything (applications, code, property), there will always be this problem.

LVL 15

Author Comment

ID: 12041967
Hi Guys,
ThanX for joining in on the discussion! Your points were appreciated. I increased the total points, and gave 100 to both dannywareham & JDettman, and 150 to sid fishes for the info about the "back door".

God bless!

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction When developing Access applications, often we need to know whether an object exists.  This article presents a quick and reliable routine to determine if an object exists without that object being opened. If you wanted to inspect/ite…
I originally created this report in Crystal Reports 2008 where there is an option to underlay sections. I initially came across the problem in Access Reports where I was unable to run my border lines down through the entire page as I was using the P…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question