1

we have a COM add-in that we use in MS Office application like Word and Excel. That COM add-in has exposed few APIs to use, which we use for customization.

Problem is - Any user can access the APIs and that is causing security problems. we dont want that to happen, we want to give access to VBA editor to only few peoples.

Is there any way - to disable VBA editor, without disabling VBA, because we want to use other Macros and Add-ins.

Thanks in advance!

PS - I tried hiding 'Developer' tab from toolbar but anyone who knows shortcut (ALT-F11), can still use it.

Improve this question
3
  • You need to clarify if you want to prevent users from using VBA as a security measure because your API is broken, or if you want to prevent all access to COM from the system, or if you want to prevent users from installing any new programs on the system. Commented Nov 4, 2011 at 21:48
  • To sort of clarify, to prevent access to your COM API you would need to prevent access to Powershell, JScript, VBScript, Perl, and you'd need to prevent users from running or copying applications from USB key, CDROM, network shares, the Web. In fact, a hacker could even type an EXE into Notepad (likely he would use copy and paste but still). Commented Nov 4, 2011 at 21:51
  • Oh, and if you allow VBA macros in documents he can just write the document on another machine and email it. Commented Nov 4, 2011 at 21:52

3 Answers 3

Reset to default
2

If one of the requirements of the COM Add-In is restricted access, the solution shouldn't be to disable anything than can access it. The answer should be to fix the add-in itself. An easy way to do it would be to define a user group that can use the add-in, and then just make the add-in check to verify the user is a member of that group. That should be simple to implement and simple to maintain.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

The VBA Password Protection does not actually protect you from people reading the file. It's incredibly simple to remove the protection.

One alternative is to obfuscate the COM API as well as the VBA (so that, even if people can read the code, it would be difficult to figure out what's going on). Apple has done this in the past (e.g. isYoMamaWearsCombatBootsSupported -- https://github.com/JaviSoto/iOS7-Runtime-Headers/commit/6ccf9c4526992fec0dc414d48e4a3f7446e9822f#L10R61)

Improve this answer

Comments

0

Can't you add a password to view/edit code? then at least they can't see your api and should prevent them from opening the editor.

Right click the project in the VBA project window and select 'properties' to add a password to that project in the Protection tab.

Improve this answer

2 Comments

Anyone can still see the API - for example using the Object Browser. Though admittedly, if they can't see the VBA project code that calls the API, they have fewer clues as to how it should be called.
I'd go with the answer by @Oorang; anyone with a COM-capable program editor will be able to use your API, so blocking VBA won't close the hole; fixing the API is the only real solution.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.