Excel Workbook Licensing/Security System

[Falko26]

Hey Team,

Was wondering if anyone has had to use / build a security system for a workbook before? At our company we have a workbook that we make copies of for each project but we only want specific people to have access to it. We also do not want them to be able to take it outside of the company. I know Excel has a built in security (permissions) feature but if a person has access to that workbook and wanted to take it outside of the company they could simply do a save as and change the permissions.

I was thinking along the lines of some sort of licensing system. Does anyone have any ideas?

Thanks,

 

[Candyman8019]

To start, Everyone will tell you that Excel is not secure...and they're right. If someone wants in, they'll get in. My school of thought however, is if we can prevent the majority of users from doing that, it's a win. I've put together a few workbooks that use various methods of thwarting those types of users that include checks to ensure they can only open a workbook from a workstation on a specific domain; only specific users have access; only domain user has access; only certain users can saveas; login audit log; "black holes" which destroy the content and send me details of who bypassed security measures and from which workstation; password to open; etc...I've even tried a timed "subscription" based approach. Most of those methods work quite well for the most part.

One of the challenges becomes shared workbooks...where users have access to different sheets. Depending on how sharing is configured in your organization, if two people are both logged into the sheet they may both see each others work etc...but that's a whole other topic.

Back to the "security" aspect...
Since VBA doesn't work on Excel for Web, we need to put in some effort to make sure the user is opening the workbook with a desktop application. If opened in the web app, I typically use conditional formatting to "blank out" all content on a visible sheet except for a message to the user stating that they must open the workbook in the desktop application; as well as a caveat that says something along the line of any attempts to circumvent security are prohibited and may result in loss of data.

My approach typically starts with hiding (veryhidden) all sheets except one on both a workbook_open and a workbook_beforeclose event. This will force the user(s) to 'enable macros' in order to get access to any meaningful parts of the application. Now that macros are enabled we need to decide what measures we want to take to keep this secure as possible. I typically opt for the following at a minimum:
- Password to open (encrypted)
- Workbook can only be opened from specific domain connected device and confirms the user is in active directory
- Admin login field on main sheet which, if the correct password was entered, will display workbook management tab with details such as current vba project password, admin password, etc.
- Only user(s) identified as admin of the workbook can do a 'saveas'
- All hidden sheets are 'veryhidden' vs just 'hidden'
- Password protected vba project
- User Audit Log
- "black hole"
- To note with this approach. Since the sheet gets destroyed...in case the "hacker" is doing it on the main copy of the workbook you'll want to ensure you have a good backup strategy in your organization; and/or your own backup strategy for this workbook, for example a batch script that runs on your workstation that makes a copy of the workbook at regular intervals.

You mentioned a possible licensing system...I would include all of the above features, in addition to when the workbook first opens you can have it display the current expiry date and have a field where the user would enter a code to extend the expiry date. This license code could be programmed to use whatever algorithm you choose. It can be fairly simple, or complex. I typically create a "subscription generator" workbook that I use to build license codes that I would give to the users.

 

[Jeffrey Mahoney]

Just writing this out as I think through the problem.

Let's say you lock down the sheets using VBA "VeryHidden" and lock down the VBA project with a password. A list of passwords by person are kept in VBA along with each person's Username.

When a person needs to unlock the sheets associated with their function, they press a button, a form pops up asking for their password, retrieves their username for comparison, AND checks for the presence of a certain network folder or file to make sure they haven't sent this workbook outside the company.

User ID can be retrieved by using Environ$("UserName"). Somebody would have to maintain the list in VBA instead of a worksheet because accessing worksheet data is easy.

Jeff

 

[Falko26]

To start, Everyone will tell you that Excel is not secure...and they're right. If someone wants in, they'll get in. My school of thought however, is if we can prevent the majority of users from doing that, it's a win. I've put together a few workbooks that use various methods of thwarting those types of users that include checks to ensure they can only open a workbook from a workstation on a specific domain; only specific users have access; only domain user has access; only certain users can saveas; login audit log; "black holes" which destroy the content and send me details of who bypassed security measures and from which workstation; password to open; etc...I've even tried a timed "subscription" based approach. Most of those methods work quite well for the most part.

One of the challenges becomes shared workbooks...where users have access to different sheets. Depending on how sharing is configured in your organization, if two people are both logged into the sheet they may both see each others work etc...but that's a whole other topic.

Back to the "security" aspect...
Since VBA doesn't work on Excel for Web, we need to put in some effort to make sure the user is opening the workbook with a desktop application. If opened in the web app, I typically use conditional formatting to "blank out" all content on a visible sheet except for a message to the user stating that they must open the workbook in the desktop application; as well as a caveat that says something along the line of any attempts to circumvent security are prohibited and may result in loss of data.

My approach typically starts with hiding (veryhidden) all sheets except one on both a workbook_open and a workbook_beforeclose event. This will force the user(s) to 'enable macros' in order to get access to any meaningful parts of the application. Now that macros are enabled we need to decide what measures we want to take to keep this secure as possible. I typically opt for the following at a minimum:
- Password to open (encrypted)
- Workbook can only be opened from specific domain connected device and confirms the user is in active directory
- Admin login field on main sheet which, if the correct password was entered, will display workbook management tab with details such as current vba project password, admin password, etc.
- Only user(s) identified as admin of the workbook can do a 'saveas'
- All hidden sheets are 'veryhidden' vs just 'hidden'
- Password protected vba project
- User Audit Log
- "black hole"
- To note with this approach. Since the sheet gets destroyed...in case the "hacker" is doing it on the main copy of the workbook you'll want to ensure you have a good backup strategy in your organization; and/or your own backup strategy for this workbook, for example a batch script that runs on your workstation that makes a copy of the workbook at regular intervals.

You mentioned a possible licensing system...I would include all of the above features, in addition to when the workbook first opens you can have it display the current expiry date and have a field where the user would enter a code to extend the expiry date. This license code could be programmed to use whatever algorithm you choose. It can be fairly simple, or complex. I typically create a "subscription generator" workbook that I use to build license codes that I would give to the users.

Hey Candyman,

Thanks for the detailed response this is a lot of good info. This confirms for me that the best way to enact a security system on your workbook is to build it into the workbook yourself using VBA. I wasn't sure if there was some third party program that could do the licensing for you in some way.

The workbook we are using is an estimating spreadsheet that is typically used by one user at a time and on every project the company has. for example we have already probably made 200 copies of it. It would be nice to lock down all previous versions but I understand that's probably not possible nor worth the time. So all I am trying to do is lock down every copy made from here on out. The spreadsheet itself has multiple sheets 10-15 and is heavily operated by VBA and formulas.

The list of items you built is perfect and exactly what I would be looking to do. Have the worksheet password protected. Only allow certain users access and make it so they have to be on the company domain to even gain access. Identify who is considered a admin vs user with a user audit Log. And Password protect the VBA Project. Even the blackhole function is interesting, no idea how that would be applied or how the system would identify if a "hacker" was attempting to gain access but it sounds cool.

The biggest hurdle for me is actually building the system. I understand VBA enough to build out some of this but it would involve asking a lot of questions. You wouldn't happen to have a informational starting point or guide workbook that could be used to begin this endeavor?

Thanks again for your time!

 

[Fluff]

As has been said before Excel is not secure & all the above "security" measures can be very easily overcome, even by someone with no knowledge.

 

[Candyman8019]

@Falco26…
Here’s a copy of my base workbook. It contains the features I mentioned in my previous post. Caveat: I’m not a developer, but I get by…so the code may be (is) messy and in some cases probably not the most efficient way to accomplish things…but it works. This has been an ongoing work that has changed over time…so there’s cleanup that could be done If you choose.

To start, a bit of housekeeping:

• Password to open is: IWANTSECURITY Feel free to change that.
  • This encrypt with password to open is important. If it is not encrypted, a hacker can change the worksheet to a zip and remove protections/find information quite easily. This will make it a bit more difficult for them. Like we’ve said before…not impossible…just trying to thwart the majority of people trying to get in.
  • For those who do have the password to open, if they’re not identified as a SuperAdmin or other administrator, the SAVEAS function is disabled.
• Login as SuperAdmin / AdminPass
  • This will not authenticate against Active Directory
  • Change the password for SuperAdmin on the recovery tab.
  • SuperAdmin will give you access to the Config Tab, Control Panel tab, and recovery tab which has the password to get into the VBA project…probably a good idea to change that to something only you know.
• In ‘ThisWorkbook’ module set your domain in the Workbook_open sub
• On the config tab you can add a number of Administrators in columns S-T
  • These will not authenticate against Active Directory
  • These will give you access to Config tab, Control Panel tab, etc…but won’t give you the recovery tab (vba password)
• If the login is not for a SuperAdmin or Admin, then it will authenticate the entered credentials against Active Directory.
• On the Config tab there is a development indicator. If it is set to 1, when opening the workbook it will bypass the domain check for development purposes if need be. Any other value will close the app if not connected to the correct domain.
• On the Config tab, cell D1…enter your company name.
• There’s also a bunch of personal references throughout the workbook. Feel free to remove/change those to your own.
• IMPORTANT! Many of the tabs have a sub called GodMode. This is the black hole I was referring to. It is meant to draw nosey people in. DO NOT view these tabs…or at the very least, make sure you have another copy of the workbook. In the VBA for these two black hole tabs, you can change the messaging and add your email address so you get notification of the prying eyes. You can add additional black holes as you see fit, and/or remove them altogether. Like I mentioned in my previous post, if you do keep these in, you’ll want to have a good backup/recovery strategy in place so you don’t lose a bunch of work.
• And lastly, for any of the administrative or black hole tabs…I would rename them so that people can’t use formulas to see what they contain without knowing the tab names.

Like is said before…we’re not making it impossible to get into…just not making it easy for the typical user.

LoginAppV2Share - SuperAdmin-AdminPass ENC.xlsm

Microsoft Excel Workbook

1drv.ms

 

[Fluff]

just not making it easy for the typical user.

Unfortunately if somebody knows the password to open the workbook, then it is still very easy to access all the sheets without any knowledge at all.

 

[Falko26]

Thanks for all the insight guys,

I completely understand that Excel in general is not secure and no matter the amount of security measures you put in place there is always going to be someone that is going to be able to hack into it. However like Candyman said we are just trying to make it a little more difficult for the typical user to gain access. Just as you would be surprised how many people can beat these security measures you would also be surprised at how many people would be completely lost trying. Ultimately my plan is to make myself and the owner of the company the only ones able to create copies of the spreadsheet (Admin) and the only way around that is to crack the VBA code protection password which ill keep private. Is this going to keep everyone out. Not a chance. is it going to keep out the majority of people out? I hope so!

Thanks again for the insight Fluff and the workbook Candyman! Ill keep you posted on any further questions as I dive into this!