Rapid Application Development / Advanced Excel Development
 
Products for Excel
Commercial Products
Spreadsheet Quality Products
Free Products
Spreadsheet Services
Spreadsheet Development
Spreadsheet Migration
Spreadsheet Maintenance
Spreadsheet Review
Spreadsheet Management
Excel Development
Excel Developer Types
Excel VBA
Excel and Databases
Excel and Pivot Tables
Excel Add-ins
Worksheet Functions
Excel and xlls
Excel (in)security
Excel testing
Excel and .net
Excel VBA IDE (editor)
Excel VBA Training
Professional Excel Development
Excel 2007
Resources
Consultant Profile
Book Reviews
Links
Other

Excel Security

It is essential to keep any discussion of Excel security in context. Excel is primarily a single end user analysis and presentation tool. The security model reflects this primary use. If you are trying to build enterprise applications entirely in Excel you will probably find this security model (and potentially other features) sadly lacking. Bear in mind Microsoft themselves do not regard the features below as 'security' they are more usability features.

There are often pretty compelling reasons to build some parts of a system in something other than Excel, security is often one of them. For example we tend to put corporate data on a database server to reduce the chances of data corruption, we compile code resources into Xlls to prevent unauthorised changes.

Security is not an On or Off thing, it is really measured in time and effort. Nothing is totally 100% secure from a determined resourceful adversary with plenty of time, so the question is:

Are our assets adequately protected against the likely threats and their potential damage?

If someone is willing and able to deliberately manipulate spreadsheets dishonestly, then what else might they be capable of? A few made up numbers in a spreadsheet are probably the least of the organisations problems in that situation.

Threat Analysis

The first step in any security discussion should be to analyse the potential threats

Some examples might be:

  • To use an Excel file as a Trojan Horse carrying a malicious payload
  • To exploit an unpatched flaw in an Office component
  • To change data values (a data diddler) or business logic
  • To delete a required workbook (denial of service (DOS))
  • To encrypt an important workbook so it is inaccessible to its users (DOS)
  • To make structural changes that will break dependent workbooks
  • To view a confidential spreadsheet without the appropriate permission

Some possible perpetrators are:

  • Disgruntled employees
  • Ex employees
  • Under skilled, or overworked staff
  • Short term staff
  • out of hours staff
  • Remote staff
  • Organised criminals
  • Script kiddies
  • Freelance 'security professionals'
  • investigative journalists
  • competitors

Some of the possible damage that could be caused

  • The whole network crashes stopping all staff worldwide working, possibly for days
  • Confidential information is leaked (staff salaries, customer credit cards)
  • Invalid data is reported to the Stock Exchange or the regulator
  • Proprietary deal evaluation techniques are leaked to competitors
  • A key file is not available when needed, requiring a back-up to be restored, losing several days/weeks of work
  • Blackmailers may demand payment to decrypt vital files

 

Excel 'Security' overview

The following features of Excel may help in removing or mitigating some of the threats including those above.

Workbook Open protection (from Tools in the File Save As dialog)

This has become stronger in recent versions of Excel. A workbook protected with a file open password is an encrypted file. If you don't know the password you can't open it (without specialist software and or lots of time and effort).

Workbook modify password (from Tools in the File Save As dialog)

This allows people to view the contents of a workbook, but they cannot save back to the same file name. This can be very useful to reduce inadvertent edits, and improve change control.

Workbook Structure protection (From Tools >> Protection >> Protect Workbook

Allows people to view the workbook, but not change the visibility of sheets or the order. Should be used if worksheet protection is used. Codematic offer an Excel Add-in that will rapidly recover lost workbook structure passwords, see here for details.

Worksheet protection (From Tools >> Protection >> Protect Worksheet

Various options, users can usually view most of the worksheet, but only make defined changes in specific cells. Easy to bypass (very easy if workbook structure protection is not used), patronising and breaks much useful functionality (like the auditing toolbar). Personal view: negatives outweigh the positives - do not use. Codematic offer an Excel Add-in that will rapidly recover lost worksheet passwords, or remove them altogether see here for details.

VBA / Macro Security (from Tools >> Macros >> Security)

Controls how VBA code and XLM Macros are executed, it is essential this is not set to low for convenience. Medium is the minimum for any responsible organisation.

VBA Protection (from Tools >> VBAProject Properties in the VBA editor)

Prevents people from viewing and changing VBA code. Easy to bypass.

Careful design (from the developers skill and experience)

The value of good design for usability and for safety should not be underestimated.

Other

Access to the VBA IDE and other Office features can be denied using Office system policies. This might stop meddlers, and may cause confusion and reduce skill development. Better training and maybe hiring, may be the best approach of all.

 

 

 
 

VBA Security

There are two main aspects to security

  1. Potential loss of intellectual property if people access source code without permission.
  2. Potential danger from a malicious user subverting the expected behaviour for their own (possibly disastrous) purposes.

VBA security is fairly poor, the code is not compiled, and the source is available in the excel file. The password protection is pretty easy to circumvent. This reflects Excel/VBA target as an end user application. Code security can be enhanced by moving to COM components or C, if there is a real need.
Simple auto open macro test files:

Workbookopen

autoopen

xlmopen

 

Please contact us with any questions.

 

Products for sale:

wsUnprotector

Instant Excel worksheet protection remover and password recovery (Current price GBP 20.00 + Vat)

AltFileSearch

New information about the missing FileSearch feature in Office 2007 and details of our pragmatic solution (Current price GBP 25.00 + Vat)

Products coming soon:

XLAnalyst Pro

(Excel VBA based spreadsheet auditing tool)

Classic Ribbon

(Excel VBA based Excel 2007 Ribbon customisation tool)

Both due before the end of Feb 09.

This page was last reviewed on January 15, 2009

©Codematic Ltd 1999-2009