Solved

VBA Project security & "Back Door"

Posted on 2004-09-10
8
3,522 Views
Last Modified: 2008-02-01
   OK. Maybe this has been discussed a million times. Or maybe the concept is so basic that anyone who knows how to write a MACRO should know it already. But since it is unknown to me and I couldn't find it in the PAQ's, here goes.

    Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.

    I had thought that the above method was probably secure enough because someone wanting to hack it would have to use a "brute fors" type of program and you could make it fairly secure by using a strong password. However I just came across a program called ******** ****** ** ******** ******** that uses a "back door" to either delete the password or set it to anything the user desires.

Any comments or thoughts?
0
Comment
Question by:will_scarlet7
8 Comments
 
LVL 57

Assisted Solution

by:Jim Dettman (Microsoft MVP/ EE MVE)
Jim Dettman (Microsoft MVP/ EE MVE) earned 100 total points
Comment Utility
<<  Is there a beter way to secure a VBA Project then with the standard "Project Properties -> Protection -> Lock Project for viewing"? It is not a requirement in my line of work (Hence the low points) but more something I am curious about.>>

  You can distribute a MDB as in MDE format, which removes all the source code.  However that does cause other problems.  Outside of that, no.  Access and VBA are both easily broken.  As you mentioned, there are many utilities out on the net to crack them.  

Jim.
0
 
LVL 15

Author Comment

by:will_scarlet7
Comment Utility
ThanX for the reply Jim!
    I have gotten so used to the ease of using MDB files instead of MDE's (especially since Access looses report formating so easily).  I also do programming in Excel & Word, so was more curious in the "general" aspect of the VBA project security.
    Is there really a known "back door" to the VBA Project password? Or is that just what the company calls their brute force attack?

Your input is appreciated, and if no one else feels the need to enter the discussion by tomorrow I will award you full points. Like I said above it is basically a leisurely, for info question from my perspective, but I have rarely seen questions older than a day generate much new input in this TA due to the sheer volume of questions.

God bless!
Sam
0
 
LVL 36

Expert Comment

by:SidFishes
Comment Utility
will...

anyone with local access to the system can potentially crack anything..vba, access security...even the machine administrator password..(and therefore possibly sql server integrated security)...i've got a nice linux based utility that fits on a floppy here that resets a win2k admin pwd to anything...as the network admin, i only use the tool for good..and keep it locked in the safe (not that it's not available on the internet) but you can see where this could be a problem

..as with anything regarding security....it all depends on time and how much effort they want to expend.

make things as difficult as possible and that's about all you can do...

One trick you can use for many passwords is to use special extended characters eg: alt-numpad-123

Most if not all brute force cracks can not deal with these chars (at least last time i checked) and your passwords remain safe(r)

note that some programs can't deal with them either...so test it first...


0
 
LVL 15

Author Comment

by:will_scarlet7
Comment Utility
ThanX Sid!
    I'm still fishing for one particular answer though (this is not to say your comment was not good and appreciated). Is this program really exploiting a "back door"? If so it does not seem like any clever passwords would be any better than jus using "me". I mean if the program can just delete or re-set the password without having to discover the old one, then...

Thank you for your input!

Sam
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 36

Accepted Solution

by:
SidFishes earned 150 total points
Comment Utility
Not sure of the specifics of the "feature" but as far as i can tell it's a true backdoor

"Professional Edition has an additional feature: VBA backdoor. With it, the password is not being recovered at all; however, you're able to open VBA project (to view/edit the code) after entering any password; of course, you should have the application (this document has been created with) installed."

I'm going to post a q on a security board i frequent and see if someone knows the exact mechanics of the "feature"

in the meantime let's sing!...

You say toMAYto I say toMAHto
You say poTAYto I say poTAHto
Microsoft says Feature I say Exploit

 ;)
0
 
LVL 36

Expert Comment

by:SidFishes
Comment Utility
All together now

...Let's call the whole thing off...



0
 
LVL 26

Assisted Solution

by:dannywareham
dannywareham earned 100 total points
Comment Utility
I've found limited means of protecting my databases, but it basically means creating lots of security measures - its still not hack proof.

How I generally do it is:

1. Create a users table and use a function to return the computer login name (this can also be done with IP address)
2. Use VBA to check if the user exists - if not close the app.
3. Disable the bypasskey
4. Set a db password (easily broken)
5. Password protect all VBA
6. Distribute as MDE

As I say - still not perfect, as, if you crack the db password, you can import objects into a new db.

Unfortunately, as long as there are people wanting to break into anything (applications, code, property), there will always be this problem.

:-)
0
 
LVL 15

Author Comment

by:will_scarlet7
Comment Utility
Hi Guys,
ThanX for joining in on the discussion! Your points were appreciated. I increased the total points, and gave 100 to both dannywareham & JDettman, and 150 to sid fishes for the info about the "back door".

God bless!
Sam
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

Overview: This article:       (a) explains one principle method to cross-reference invoice items in Quickbooks®       (b) explores the reasons one might need to cross-reference invoice items       (c) provides a sample process for creating a M…
A simple tool to export all objects of two Access files as text and compare it with Meld, a free diff tool.
Get people started with the utilization of class modules. Class modules can be a powerful tool in Microsoft Access. They allow you to create self-contained objects that encapsulate functionality. They can easily hide the complexity of a process from…
In Microsoft Access, when working with VBA, learn some techniques for writing readable and easily maintained code.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now