VBA and Security

[CPGDeveloper]

Hello~

So the company I work for is doing a thorough security review and I'm wondering if there's a way to prevent the following scenario:

Say I, or another developer here, become disgruntled and am fired -- and on my last day I write an Access VBA script to run in the middle of the night that deletes every file in every folder I have access to (or even worse put through some update to an end users application to do the same). Besides the obvious of denying access to anything important, is there any way to prevent this? Security with end users is one thing, but security among the development team is another -- any examples or idea of how your company might handle this would be greatly appreciated.

Thanks!

 

[Joe4]

There are many different ways that they can wreak havoc (not just limited to Access VBA, but also Excel VBA, VB Script, etc). So it doesn't really make much sense to try to handle it at the application level.

A better approach is to have some good security policies in place such as:
- Only give users access to the drives/folders that they need access to
- When firing someone, remove ALL their access and disable their accounts BEFORE notifying them that they are fired (we usually do that and then walk them out the door)

 

[Micron]

I agree - there's nothing to prevent anyone from selecting top level folders that they have access to and deleting everything within that they have delete rights for while they put their coat on. File Explorer is all you need. Where I worked, the entire system was backed up every night and complete backups were kept off site in order to minimize the potential data loss. There is nothing anyone can do to prevent deletion of anything that anyone has delete rights for whether that is directly or via code that they're normally allowed to run. Even if you could lock down apps from within after a certain hour, there is nothing that will prevent the creation of another app that will do it during those hours.

 

[Joe4]

I agree - there's nothing to prevent anyone from selecting top level folders that they have access to and deleting everything within that they have delete rights for while they put their coat on. File Explorer is all you need. Where I worked, the entire system was backed up every night and complete backups were kept off site in order to minimize the potential data loss. There is nothing anyone can do to prevent deletion of anything that anyone has delete rights for whether that is directly or via code that they're normally allowed to run. Even if you could lock down apps from within after a certain hour, there is nothing that will prevent the creation of another app that will do it during those hours.

Yes, that is an excellent point and one I overlooked and neglected to mention.
Daily back-ups are key!
Even if it is not malicious, sometimes accidental deletions happen too!