I hope to get many responses on this.

S

Steven

I am currently in pain over the Sarbanes-Oxley rules and what they are
requiring. I am not sure if I am so upset over the requirements or what
appears to be manangements and Sarbanes auditors lack of knowledge of how to
use excel. The Sarbanes people want to throw more people at every issue and
my feeling is the real issue is their lack of knowledge of excel. Here is a
general idea of my proposal. I feel it would probably take care of half of
what they call deficiencies.

My question is how secure it this: I have to send a pre formatted excel
file "File01" to 10 subsidiaries so they can input thier month end financial
data. The file has 12 sheets. I passworded each sheet and only made
unprotected cells where I want input. I also passworded the workbook. I
also passworded the file. Now to open the file I also send each user a
second file "File02", it's sole purpose is to open the first file with code
which the VBA is also passworded. What I am telling the Sarbanes-Oxley
people is the file is secure and I will know if I get the correct File01
back becuase the first process when I open the file is to see if the file has
a password. If they do not send me the correct file then either the file
will not open because it has the wrong password or they used another file
with no password which I will catch when I ask if the file has a password. I
want to use this method because when I get the 10 files back I can do
basically anything I want with the data using macros to automate the combing
of data anyway that I want. Question: How secure is this method in that the
user will have to use File02 as the opening file to force use of File01 that
has file, workbook and worksheet protection. How easy would it be for
someone to get past all that security? Note: I am thinking if they get past
the file password it will not do them any good because they will not be able
to get past the Workbook and Worksheet security. I will also be testing each
files passwords for Workbook and Worksheet.

Thank you for your comments.

Steven
 
J

Joel

The excel password is easy to break in less than 5 minutes. There are
programs readily available or the web to do this. I would lock the workbook,
but when you get a filled workbook back extract the data only and put it not
your own templet. Also perform checks to make sure the file you get back was
correctly entered. It is possible that the workbook will get unlocked and
any formulas may have gotten changed. This is the only way to insure that
the file wasn't changed or modified incorrectly.
 
S

Steven

Joel,

Thank you for your response. How easy are the WorkBook Protect and Sheet
Protect passwords to break? If they are not easy then I can easily test that
the passwords there are correct also. Also how hard is the VBA password to
break?

Steven
 
I

Internetdomainowner

I am currently in pain over the Sarbanes-Oxley rules and what they are
requiring.  I am not sure if I am so upset over the requirements or what
appears to be manangements and Sarbanes auditors lack of knowledge of howto
use excel.  The Sarbanes people want to throw more people at every issue and
my feeling is the real issue is their lack of knowledge of excel.  Hereis a
general idea of my proposal.  I feel it would probably take care of half of
what they call deficiencies.

My question is how secure it this:  I have to send a pre formatted excel
file "File01" to 10 subsidiaries so they can input thier month end financial
data.  The file has 12 sheets.  I passworded each sheet and only made
unprotected cells where I want input.  I also passworded the workbook.  I
also passworded the file.  Now to open the file I also send each user a
second file "File02", it's  sole purpose is to open the first file withcode
which the VBA is also passworded.  What I am telling the Sarbanes-Oxley
people is the file is  secure and I will know if I get the correct File01
back becuase the first process when I open the file is to see if the filehas
a password.  If they do not send me the correct file then either the file
will not open because it has the wrong password or they used another file
with no password which I will catch when I ask if the file has a password..  I
want to use this method because when I get the 10 files back I can do
basically anything I want with the data using macros to automate the combing
of data anyway that I want.  Question:  How secure is this method in that the
user will have to use File02 as the opening file to force use of File01 that
has file, workbook and worksheet protection.  How easy would it be for
someone to get past all that security?  Note:  I am thinking if they get past
the file password it will not do them any good because they will not be able
to get past the Workbook and Worksheet security.  I will also be testing each
files passwords for Workbook and Worksheet.

Thank you for your comments.

Steven

Steven,

Anyone who knows anything about password protection with Excel knows
that it's only to delay someone from really get into the bowels of
spreadsheets and if you really know what your doing it will only take
a few minutes... I can break any password Excel throws at me. Infact
if you Google "Excel password breakers" your going to get quite a few
different ones. I'd recommend instead of all these passwords that you
make specific to the computers domain, IP address (if possible not
static), and a password that changes on a daily basis...

If you look into the VBA code you can see that it states
"password=youpassword" change that into "password= TEXT(FORMAT(NOW,
"DDYYYYDDYY") that way the password constantly keeps changing and with
the other information -- you will be pretty good. The problem with VBA
password breakers is they can't detect formula driven passwords but
they can always reset them.
 
I

Internetdomainowner

Steven,

Anyone who knows anything about password protection with Excel knows
that it's only to delay someone from really get into the bowels of
spreadsheets and if you really know what your doing it will only take
a few minutes... I can break any password Excel throws at me. Infact
if you Google "Excel password breakers" your going to get quite a few
different ones. I'd recommend instead of all these passwords that you
make specific to the computers domain, IP address (if possible not
static), and a password that changes on a daily basis...

If you look into the VBA code you can see that it states
"password=youpassword" change that into "password= TEXT(FORMAT(NOW,
"DDYYYYDDYY") that way the password constantly keeps changing and with
the other information -- you will be pretty good. The problem with VBA
password breakers is they can't detect formula driven passwords but
they can always reset them.- Hide quoted text -

- Show quoted text -

Also I should mention that I've really looked into this -- even having
a program to encrypt the contents of the a workbook and decrypt the
contents using a custom made encryption set. I even tried to dable in
retrieving the computers harddrive serial number (never got it to
work). Your best bet if you really want to make things secure is make
it so that the workbook shoots an e-mail to you each time it is opened
(and if your smart you can make it so that the changes get documented
in the e-mail on workbook close.) Something else to consider is maybe
having the workbook be controlled all through userform elements
(specifically the wonderful and awsome XML spreadsheet plug-in). With
enough practice you can get that spreadsheet to do 1000 times as much
as a basic spreadsheet. I'd recommend looking into using UserForms
with data pulled from a hidden webaddress and using DOS batch scripts
to FTP the changed data to a website...

This isn't going to be an easy thing to figure out (infact I just
learned how to do this and the complexity of my programs has gone up
dramatically). Which ever you choose (maybe if this out of your realm
you could always hire someone who knows what they are doing)...
 
J

Joel

The passwords can be broken using a macro in under 5 minutes. The macro
tries every possible pasword until it is broken. The lenght of the password
and the number of valid characters are limited.

My boss got US government spreadsheet which was supplied when bidding on
govenrment contracts. There were hidden formulas that was used to get final
cost. We wanted to see what the formulas look like so we ran the macro and
got the password. We then locked the workbook before returning our bidded
cost. We didn't make any changes but was curious what the formulas look like.
 
J

Joel

The real question is why does the workbook need to be secure. It seems from
the original description Steven need to protect the format of the workbook so
his auditors have insurancance that the workbook is good. that formulas
weren't corrupted.

The simpliest method for achieving this is just to use the copied workbook
as a form to collect the data. Then retrieve the data and copy the data to a
secure workbook that can be verifed by the auditors.
 
T

Tushar Mehta (Microsoft MVP Excel 2000-2008)

I am not going to comment on the competency of SOX auditors when it
comes to Excel nor am I an expert in SOX.

That said, I find it hard to believe anyone can make Excel SOX-
compliant.

Just the fact that you claim you can do anything you want with the
data you receive from the 10 sources makes the use of Excel suspect.
At a minimum SOX has to require one to be able to trace any set of
numbers to their source and "basically anything I want with the data
using macros to automate the combing of data anyway that I want"
doesn't seem to be SOX-friendly.

Also, your entire scheme relies on File02 using VBA to unlock File01.
That, of course, means the passwords for File01 are in the VBA code in
File02. So, if anyone can hack into File02's VBA code, they would
know the passwords for File01. And, from what I've read, to hack into
VBA code takes...with software that I believe is easily available on
the Internet...a few seconds.
 
S

Steven

Sarbanes Oxley is not totally bad but it has gone way to far and I hope it
gets revised. If companies followed the basic rules of internal control that
have been established for decades then there would not be this issue. I have
so much venom to spew, but I know this is not a commentary forum so I will
stop here, and I really enjoy this website.

Why cannot MS make a password scheme that cannot be hacked? Or at least
make it to where it takes too long to hack it.

Thank you for your responses.

Steven
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top