Home |
Search |
Today's Posts |
#1
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
I am currently in pain over the Sarbanes-Oxley rules and what they are
requiring. I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. Here is a general idea of my proposal. I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. The file has 12 sheets. I passworded each sheet and only made unprotected cells where I want input. I also passworded the workbook. I also passworded the file. Now to open the file I also send each user a second file "File02", it's sole purpose is to open the first file with code which the VBA is also passworded. What I am telling the Sarbanes-Oxley people is the file is secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. Question: How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. How easy would it be for someone to get past all that security? Note: I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven |
#2
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
The excel password is easy to break in less than 5 minutes. There are
programs readily available or the web to do this. I would lock the workbook, but when you get a filled workbook back extract the data only and put it not your own templet. Also perform checks to make sure the file you get back was correctly entered. It is possible that the workbook will get unlocked and any formulas may have gotten changed. This is the only way to insure that the file wasn't changed or modified incorrectly. "Steven" wrote: I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. Here is a general idea of my proposal. I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. The file has 12 sheets. I passworded each sheet and only made unprotected cells where I want input. I also passworded the workbook. I also passworded the file. Now to open the file I also send each user a second file "File02", it's sole purpose is to open the first file with code which the VBA is also passworded. What I am telling the Sarbanes-Oxley people is the file is secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. Question: How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. How easy would it be for someone to get past all that security? Note: I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven |
#3
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
Joel,
Thank you for your response. How easy are the WorkBook Protect and Sheet Protect passwords to break? If they are not easy then I can easily test that the passwords there are correct also. Also how hard is the VBA password to break? Steven "Joel" wrote: The excel password is easy to break in less than 5 minutes. There are programs readily available or the web to do this. I would lock the workbook, but when you get a filled workbook back extract the data only and put it not your own templet. Also perform checks to make sure the file you get back was correctly entered. It is possible that the workbook will get unlocked and any formulas may have gotten changed. This is the only way to insure that the file wasn't changed or modified incorrectly. "Steven" wrote: I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. Here is a general idea of my proposal. I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. The file has 12 sheets. I passworded each sheet and only made unprotected cells where I want input. I also passworded the workbook. I also passworded the file. Now to open the file I also send each user a second file "File02", it's sole purpose is to open the first file with code which the VBA is also passworded. What I am telling the Sarbanes-Oxley people is the file is secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. Question: How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. How easy would it be for someone to get past all that security? Note: I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven |
#4
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
On Jul 24, 8:27*pm, Steven wrote:
I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. *I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. *The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. *Here is a general idea of my proposal. *I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: *I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. *The file has 12 sheets. *I passworded each sheet and only made unprotected cells where I want input. *I also passworded the workbook. *I also passworded the file. *Now to open the file I also send each user a second file "File02", it's *sole purpose is to open the first file with code which the VBA is also passworded. *What I am telling the Sarbanes-Oxley people is the file is *secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. *If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password.. *I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. *Question: *How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. *How easy would it be for someone to get past all that security? *Note: *I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. *I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven Steven, Anyone who knows anything about password protection with Excel knows that it's only to delay someone from really get into the bowels of spreadsheets and if you really know what your doing it will only take a few minutes... I can break any password Excel throws at me. Infact if you Google "Excel password breakers" your going to get quite a few different ones. I'd recommend instead of all these passwords that you make specific to the computers domain, IP address (if possible not static), and a password that changes on a daily basis... If you look into the VBA code you can see that it states "password=youpassword" change that into "password= TEXT(FORMAT(NOW, "DDYYYYDDYY") that way the password constantly keeps changing and with the other information -- you will be pretty good. The problem with VBA password breakers is they can't detect formula driven passwords but they can always reset them. |
#5
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
On Jul 24, 9:39*pm, wrote:
On Jul 24, 8:27*pm, Steven wrote: I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. *I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. *The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. *Here is a general idea of my proposal. *I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: *I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. *The file has 12 sheets. *I passworded each sheet and only made unprotected cells where I want input. *I also passworded the workbook.. *I also passworded the file. *Now to open the file I also send each user a second file "File02", it's *sole purpose is to open the first file with code which the VBA is also passworded. *What I am telling the Sarbanes-Oxley people is the file is *secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. *If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. *I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. *Question: *How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. *How easy would it be for someone to get past all that security? *Note: *I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. *I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven Steven, Anyone who knows anything about password protection with Excel knows that it's only to delay someone from really get into the bowels of spreadsheets and if you really know what your doing it will only take a few minutes... I can break any password Excel throws at me. Infact if you Google "Excel password breakers" your going to get quite a few different ones. I'd recommend instead of all these passwords that you make specific to the computers domain, IP address (if possible not static), and a password that changes on a daily basis... If you look into the VBA code you can see that it states "password=youpassword" change that into "password= TEXT(FORMAT(NOW, "DDYYYYDDYY") that way the password constantly keeps changing and with the other information -- you will be pretty good. The problem with VBA password breakers is they can't detect formula driven passwords but they can always reset them.- Hide quoted text - - Show quoted text - Also I should mention that I've really looked into this -- even having a program to encrypt the contents of the a workbook and decrypt the contents using a custom made encryption set. I even tried to dable in retrieving the computers harddrive serial number (never got it to work). Your best bet if you really want to make things secure is make it so that the workbook shoots an e-mail to you each time it is opened (and if your smart you can make it so that the changes get documented in the e-mail on workbook close.) Something else to consider is maybe having the workbook be controlled all through userform elements (specifically the wonderful and awsome XML spreadsheet plug-in). With enough practice you can get that spreadsheet to do 1000 times as much as a basic spreadsheet. I'd recommend looking into using UserForms with data pulled from a hidden webaddress and using DOS batch scripts to FTP the changed data to a website... This isn't going to be an easy thing to figure out (infact I just learned how to do this and the complexity of my programs has gone up dramatically). Which ever you choose (maybe if this out of your realm you could always hire someone who knows what they are doing)... |
#6
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
The passwords can be broken using a macro in under 5 minutes. The macro
tries every possible pasword until it is broken. The lenght of the password and the number of valid characters are limited. My boss got US government spreadsheet which was supplied when bidding on govenrment contracts. There were hidden formulas that was used to get final cost. We wanted to see what the formulas look like so we ran the macro and got the password. We then locked the workbook before returning our bidded cost. We didn't make any changes but was curious what the formulas look like. "Steven" wrote: Joel, Thank you for your response. How easy are the WorkBook Protect and Sheet Protect passwords to break? If they are not easy then I can easily test that the passwords there are correct also. Also how hard is the VBA password to break? Steven "Joel" wrote: The excel password is easy to break in less than 5 minutes. There are programs readily available or the web to do this. I would lock the workbook, but when you get a filled workbook back extract the data only and put it not your own templet. Also perform checks to make sure the file you get back was correctly entered. It is possible that the workbook will get unlocked and any formulas may have gotten changed. This is the only way to insure that the file wasn't changed or modified incorrectly. "Steven" wrote: I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. Here is a general idea of my proposal. I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. The file has 12 sheets. I passworded each sheet and only made unprotected cells where I want input. I also passworded the workbook. I also passworded the file. Now to open the file I also send each user a second file "File02", it's sole purpose is to open the first file with code which the VBA is also passworded. What I am telling the Sarbanes-Oxley people is the file is secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. Question: How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. How easy would it be for someone to get past all that security? Note: I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven |
#7
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
The real question is why does the workbook need to be secure. It seems from
the original description Steven need to protect the format of the workbook so his auditors have insurancance that the workbook is good. that formulas weren't corrupted. The simpliest method for achieving this is just to use the copied workbook as a form to collect the data. Then retrieve the data and copy the data to a secure workbook that can be verifed by the auditors. " wrote: On Jul 24, 9:39 pm, wrote: On Jul 24, 8:27 pm, Steven wrote: I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. Here is a general idea of my proposal. I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. The file has 12 sheets. I passworded each sheet and only made unprotected cells where I want input. I also passworded the workbook.. I also passworded the file. Now to open the file I also send each user a second file "File02", it's sole purpose is to open the first file with code which the VBA is also passworded. What I am telling the Sarbanes-Oxley people is the file is secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. Question: How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. How easy would it be for someone to get past all that security? Note: I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven Steven, Anyone who knows anything about password protection with Excel knows that it's only to delay someone from really get into the bowels of spreadsheets and if you really know what your doing it will only take a few minutes... I can break any password Excel throws at me. Infact if you Google "Excel password breakers" your going to get quite a few different ones. I'd recommend instead of all these passwords that you make specific to the computers domain, IP address (if possible not static), and a password that changes on a daily basis... If you look into the VBA code you can see that it states "password=youpassword" change that into "password= TEXT(FORMAT(NOW, "DDYYYYDDYY") that way the password constantly keeps changing and with the other information -- you will be pretty good. The problem with VBA password breakers is they can't detect formula driven passwords but they can always reset them.- Hide quoted text - - Show quoted text - Also I should mention that I've really looked into this -- even having a program to encrypt the contents of the a workbook and decrypt the contents using a custom made encryption set. I even tried to dable in retrieving the computers harddrive serial number (never got it to work). Your best bet if you really want to make things secure is make it so that the workbook shoots an e-mail to you each time it is opened (and if your smart you can make it so that the changes get documented in the e-mail on workbook close.) Something else to consider is maybe having the workbook be controlled all through userform elements (specifically the wonderful and awsome XML spreadsheet plug-in). With enough practice you can get that spreadsheet to do 1000 times as much as a basic spreadsheet. I'd recommend looking into using UserForms with data pulled from a hidden webaddress and using DOS batch scripts to FTP the changed data to a website... This isn't going to be an easy thing to figure out (infact I just learned how to do this and the complexity of my programs has gone up dramatically). Which ever you choose (maybe if this out of your realm you could always hire someone who knows what they are doing)... |
#8
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
I am not going to comment on the competency of SOX auditors when it
comes to Excel nor am I an expert in SOX. That said, I find it hard to believe anyone can make Excel SOX- compliant. Just the fact that you claim you can do anything you want with the data you receive from the 10 sources makes the use of Excel suspect. At a minimum SOX has to require one to be able to trace any set of numbers to their source and "basically anything I want with the data using macros to automate the combing of data anyway that I want" doesn't seem to be SOX-friendly. Also, your entire scheme relies on File02 using VBA to unlock File01. That, of course, means the passwords for File01 are in the VBA code in File02. So, if anyone can hack into File02's VBA code, they would know the passwords for File01. And, from what I've read, to hack into VBA code takes...with software that I believe is easily available on the Internet...a few seconds. On Thu, 24 Jul 2008 17:27:01 -0700, Steven wrote: I am currently in pain over the Sarbanes-Oxley rules and what they are requiring. I am not sure if I am so upset over the requirements or what appears to be manangements and Sarbanes auditors lack of knowledge of how to use excel. The Sarbanes people want to throw more people at every issue and my feeling is the real issue is their lack of knowledge of excel. Here is a general idea of my proposal. I feel it would probably take care of half of what they call deficiencies. My question is how secure it this: I have to send a pre formatted excel file "File01" to 10 subsidiaries so they can input thier month end financial data. The file has 12 sheets. I passworded each sheet and only made unprotected cells where I want input. I also passworded the workbook. I also passworded the file. Now to open the file I also send each user a second file "File02", it's sole purpose is to open the first file with code which the VBA is also passworded. What I am telling the Sarbanes-Oxley people is the file is secure and I will know if I get the correct File01 back becuase the first process when I open the file is to see if the file has a password. If they do not send me the correct file then either the file will not open because it has the wrong password or they used another file with no password which I will catch when I ask if the file has a password. I want to use this method because when I get the 10 files back I can do basically anything I want with the data using macros to automate the combing of data anyway that I want. Question: How secure is this method in that the user will have to use File02 as the opening file to force use of File01 that has file, workbook and worksheet protection. How easy would it be for someone to get past all that security? Note: I am thinking if they get past the file password it will not do them any good because they will not be able to get past the Workbook and Worksheet security. I will also be testing each files passwords for Workbook and Worksheet. Thank you for your comments. Steven |
#9
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
Sarbanes Oxley is not totally bad but it has gone way to far and I hope it
gets revised. If companies followed the basic rules of internal control that have been established for decades then there would not be this issue. I have so much venom to spew, but I know this is not a commentary forum so I will stop here, and I really enjoy this website. Why cannot MS make a password scheme that cannot be hacked? Or at least make it to where it takes too long to hack it. Thank you for your responses. Steven |
#10
Posted to microsoft.public.excel.programming
|
|||
|
|||
I hope to get many responses on this.
What about excel 2007. Easy to crack also?
"Steven" wrote: Sarbanes Oxley is not totally bad but it has gone way to far and I hope it gets revised. If companies followed the basic rules of internal control that have been established for decades then there would not be this issue. I have so much venom to spew, but I know this is not a commentary forum so I will stop here, and I really enjoy this website. Why cannot MS make a password scheme that cannot be hacked? Or at least make it to where it takes too long to hack it. Thank you for your responses. Steven |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
Counting responses | Excel Discussion (Misc queries) | |||
Help with questionnaire responses | Excel Worksheet Functions | |||
no responses... | Excel Discussion (Misc queries) | |||
counting responses - please help | Excel Worksheet Functions | |||
adding up yes, no, n/a responses | Excel Discussion (Misc queries) |