File Security in MS Office Files
I wanted to do a a post on file security – particularly for Excel files, though much of it will apply to other Office files. There are a lot of misconceptions out there, and people thinking they’re securing their work / their company’s data, when they’re really not! I apologise in advance if it gets a bit wordy, but I’ll try and keep to the point!
There are three main ways you may protect an Excel file:
- Protect the content
- Protect the VBA code
- Protect the file itself
Lets remind ourselves what each of these do…
Protect the content
This allows you to protect parts of your file content, such as a specific range of data in your file. This is a useful way of preventing users from overwriting formulas etc in your file.
However, this isn’t a way to secure your data. This type of protection is not robust, and can (very!) easily be circumvented, in a matter of seconds.
If you just want to prevent users from over-writing your formulas etc, then go ahead and use it for what it is, but remember that you can also use this type of protection without a password just as effectively, without leading you into a sense of security that setting a ‘password’ might give you.
Protect the VBA Code
A VBA Project password is just that – a password you can set to protect any VBA code / macro’s you have in your file. As with protecting the content, it’s not all that secure, and can easily be removed in a couple of minutes. For me, VBA passwords are one of my biggest bug-bearers – for me, if a user care enough / knows enough about VBA to go nosing around, there’s a good chance they’ll figure out how to get around it anyway. All it does is cause problems when it comes to fixing a file protected by someone who has since left the business and not given anyone the password. After all, whilst it’s certainly easy enough to circumvent, I imagine there are few corporate IT policies which will endorse / allow this to be done! So, just don’t do it, please!
Protect the file itself
This level of protection adds a password for when you open the file itself. Without the password, you “can’t” view the file at all.
There’s a little more to this one though, especially in corporate environments, and more so those that are still on older software / not long moved away from older software.
Loosely speaking, Microsoft Office has always used encryption on files secured in this way. However, the level of encryption has been incredibly low (16 bit in Office 95), and could be quickly broken. Whilst this did improve with 2003 (40 bit), this is still too low to be compliant with most IT policies, and it not as secure as you would want sensitive data to be.
In 2007, encryption was improved to 128 bit, which will be strong enough to be compliant with most corporate policies – but be sure to check, as other companies may seek 256 bit protection. Office 2010 still uses 128 bit, but has been improved somewhat, so remains an option in most environments. From what I’ve read, Office 2013 also uses 128 bit.
By way of comparison, Enterprise Wi-Fi will typically be 256 bit encrypted.
Now, if your’re thinking ‘great, I’ll go and save all my old files in Office 2010 with encryption’ – there are further considerations. From what I can find out, by default, if you save a ‘2003’ (.xls) file format in Office 2010, it won’t use the 128 bit encryption. You need to be saving it in the newer .xlsx / .xlsm formats! There are, from what I can gather, ways to re-configure Office 2010 to force it to use 128 bit encryption on .xls files, but I’ll let you look into that option if you think you need to.
Word, Outlook, Powerpoint
Word & Powerpoint work in much the same way as Excel, with the same level of protection offered when adding a File Password.
Outlook, however, is a little different. If you create a .pst file to archive your old emails, even if you use a password, it’s not encrypted – so you’ll want to ensure wherever you store it is itself encrypted (such as a Bit-locker drive).
And that’s about it – so next time you need to protect your work, consider whether you’re protecting it in the most appropriate manner – and of course, even full encryption files will only do its job if you pick a good, secure password – and your IT / Info-Security team what your password policy is, and try sticking to it, even if it’s not ‘forced’ in all environments, such as saving Excel files.