protection

Excel Security and Not Excel security, that’s the question

Executive overview

Excel has various levels of protection.
Many people use worksheet protection.  This feature is designed as a simple blocker to avoid unwanted edits to your sheet. Users can open and use the file without the protection password.

By design, Excel sheet protection is NOT a security measure, to keep data secret or to hide IP or formulas from unauthorized parties. The worksheet protection password is fairly easy to remove as explained below.

If you want actual protection in your Excel sheet, you need to use the encryption feature, but then every user will be forced to enter a password to open the file.  Which is difficult from usability point of view. And you need to apply security for each user separately.

Applies to

This discussion actually applies to the latest version of Excel in the Office 365 version. Some options or features might not be available or might not apply to previous/older versions of MS office.

Introduction

If you spend a lot of time to build a smart calculations or data management solutions in Excel, it’s very likely that you want to protect your hard word, or the smart layout or the intelligence behind your calculations. Or simply avoid any accidents crippling the nice layout.

Most people will first think about worksheet protection to achieve this, but there are some more options.

Excel Security options

If you create or open an Excel sheet (in current version of Office 365), you can add security via the menu “FIle” then choose the “Info” option.

Then click the “Protect Workbook” option.

Worksheet protection

In short: Worksheet protection is not intended to be a security feature.

And that’s documented at: https://support.microsoft.com/office/protect-a-worksheet-3179efdb-1285-4d49-a9c3-f4ca36276de6

From the Microsoft support document, the security impact of the protection features is explained as (quote):

Important: 

  • Worksheet level protection is not intended as a security feature. It simply prevents users from modifying locked cells within the worksheet.
  • Protecting a worksheet is not the same as protecting an Excel file or a workbook with a password. See below for more information:

Even with worksheet protection, the formulas are stored in the file as this is what allows you to later modify the formulas and for the cells to update their values. Because the file is not encrypted, a user could inspect the file contents to determine what the formulas are.

For advanced Excel users:

  • There are mechanisms that allow you to remove formulas from the workbook while keeping the cell values the same. When this is done, these cell values no longer update as they no longer have a formula.
  • If you want to strip out a formula that refers to another workbook, you can use the break link feature for external links (Data tab > Queries and Connections section > Edit Links > Break Link) – this keeps the current value of the cell and removes the formula referencing the external workbook.
  • If you want to strip out a formula regardless of where it refers to, the easiest way to do this is to copy the cell and paste as value to the same cell.

Implementing worksheet protection

Implementing worksheet security using encryption

Managing cell security

Before you activate worksheet protection, you need to consider unblocking cells to allow edit when protection is activated. Right click the target cells, you want to leave unprotected.

In the cell format options, “Locked” is enabled by default. Uncheck if you want to edit after password lock.

Next, to activate worksheet protection, right click the worksheet tab (below) and click the Protect sheet option.

You  can select which kind of protection you need on the level of the sheet and cells.

You need to enter the password and then reconfirm, of course.

Now, when you try to edit the cells that are blocked, you’ll get an error.

The actual Excel security: sheet encryption

To implement actual security, you need to encrypt the file.
When you want to use encryption, go back to the file menu and workbook protection, as explained earlier.

Choose the encryption option

When you save the file and try to reopen it, you’ll get a password prompt.

In one of the next chapters below, I’ll show what happens with the file security, and if you can hack it… or not.

Hacking Excel worksheet protection

The actual reason for this article, is that the worksheet protection is NOT a security feature and more important, the worksheet protection can be broken in a matter of seconds.

You’ll find a lot of password cracking tools, brute force password guessing or macro scripts to crack the passwords. Don’t bother if you simply want to remove the password protection.

The worksheet protection is embedded in the XLSX file, as XML. And you should consider the XLS sheet as a compressed/zipped dossier/file collection of config files containing the hashed password.

And that’s exactly the easy shortcut to remove the password, remove the password hash.
I won’t go in detail on the steps, but it’s about renaming the XLS file to zip, opening the zip, removing the pasword hash, saving the file, rename to XLS and open your sheets without password protection.

The method is explained over here: http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/

Hacking encryption? (Nope!)

Using the XLS to Zip rename, you can inspect the file content of the encrypted file.

When you try the same technique, removing the encryption info…you’ll notice that the “EncryptionInfo” is not allowing to save. And you can’t remove the encryption (at least not this way, here we stop… )

When you try to remove the encryption tag, including the cipher and password hash, you’ll notice it won’t work.

Reporting security issues to Microsoft

If you think or suspect to have found a security issue in a Microsoft product, don’t hesitate to report it.

To report a vulnerability in a Microsoft product or service, got to the Microsoft Security Response Center (MSRC) website at : https://www.microsoft.com/msrc.

You can track the status of your report as the MSRC team will work with you to investigate and resolve the issue. Or confirm that a suspected behaviour is not a security issue, but a light-weight protection to avoid layout incidents.

Active Directory PowerShell: List items with “Protect object from accidental deletion” setting

Freshly posted for you on TNWiki: Active Directory PowerShell: List items with “Protect object from accidental deletion” setting

Introduction

Ever got in a situation where you as AD domain admin were blocked from deleting items?

Or did you ever receive an “Access denied” when you tried to delete items from AD, even with full admin rights?

Then you better check if AD has the “protect from accidental deletion” activated on the object, container or OU…

In case you want to check a larger collection of items for this setting, it quickly becomes complicated.

This article helps you to get an overview by using Powershell, and an export of the impacted items to a CSV file.

As explained by : James ONeill (Windows Server 2008 Protection from Accidental Deletion)

“The functionality to prevent accidental deletion is not based on a new attribute in Active Directory.  It is enabled by ticking a check box on the Object tab of the particular object you wish to protect.  The Object tab is only visible when the Advanced Features option is selected from the View menu of Active Directory Users and Computers. When the tick box is checked the permissions on the object are changed. A “Deny” permission is created which stops deletion of the object.  “

Overview

This script finds all AD objects protected from accidental deletions.

Credits

This script uses logic that has been developed by:

Source references


Active Directory OU Permissions Report: Free PowerShell Script Download


Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory


Windows Server 2008 Protection from Accidental Deletion

Prerequisites

This script only runs if you can load the AD PS module eg. run the analysis
on a DC.

Downloads (Gallery)

Source Code

Full Version (with progress bar)

001002

 

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

<##############################################################################Author: Peter Geelen

 

Quest For Security

October 2016
https://identityunderground.wordpress.com

This script finds all AD objects protected by accidental deletions.

Credits: This script uses logic that has been developed by:

– Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE

– Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,

provided that You agree:

(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and

(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys  fees, that arise or result from the use or distribution of the Sample Code.

 

This posting is provided “AS IS” with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

##############################################################################>


#—————————————————————————–

#Source references


#—————————————————————————–


#Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

#abizer_hazratJune 9, 2009


#https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/


#Windows Server 2008 Protection from Accidental Deletion

#James ONeill, October 31, 2007


#https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/


#—————————————————————————–

#Prerequisites: 


#this script only runs if you can load the AD PS module

#eg. run the analysis on a DC


#—————————————————————————–

cls

import-module activedirectory


#—————————————————————————–

#initialisation


#—————————————————————————–


#the CSV file is saved in the same directory as the PS file

$csvFile = $MyInvocation.MyCommand.Definition -replace ‘ps1’,‘csv’

$report = @()

#(*) Credits 

$schemaIDGUID = @{}


### NEED TO RECONCILE THE CONFLICTS ###

$ErrorActionPreference = ‘SilentlyContinue’

Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}

Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}

$ErrorActionPreference = ‘Continue’

#(*)


#—————————————————————————–

#Functions


#—————————————————————————–

function CheckProtection

{

    param($obj)

    $path = “AD:\” + $obj

    Get-Acl -Path $path | `

    Select-Object -ExpandProperty Access | `

    Where-Object {($_.ActiveDirectoryRights -like “*DeleteTree*”-AND ($_.AccessControlType -eq “Deny”)} | `

        #(*)

        Select-Object @{name=‘Object’;expression={$obj}}, `

        @{name=‘objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’Else {$schemaIDGUID.Item($_.objectType)}}}, `

        @{name=‘inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `

        #(*)

        ActiveDirectoryRights,

        ObjectFlags,

        AccessControlType,

        IdentityReference,

        IsInherited,

        InheritanceFlags,

        PropagationFlags

}


#—————————————————————————–

#MAIN


#—————————————————————————–

#add the top domain

$OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)

#add the OUs

$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

#add other containers

$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(|(objectClass=container)(objectClass=builtinDomain))’ | Select-Object -ExpandProperty DistinguishedName


#if you don’t want to scan the builtin container use line below instead of line above


#$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(objectClass=container)’ | Select-Object -ExpandProperty DistinguishedName


#set the target objects types to investigate


#including users, groups, contacts, computers

$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))’


#$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer)(objectclass=Foreign-Security-Principal))’


#not included: Foreign-Security-Principal, msTPM-InformationObjectsContainer, msDS-QuotaContainer, lostAndFound,

$iSeqNo = 0

$OUCount = $OUs.Count

ForEach ($OU in $OUs

{

    $iSeqNo++

    $pct = ([int]($iSeqNo/$OUCount * 100))

    $activity = “Analyzing container: “+ $OU

    Write-Progress -activity $activity -status “Please wait” -percentcomplete $pct -currentoperation “now processing container $iSeqNo of $OUCount” -id 1

    #check the protection of the parent container

    $isProtected = 

    $isProtected = CheckProtection $OU

    if ($isProtected -ne $null) {$report += $isProtected}

    

    #Lookup the child target objects in the parent container

    $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName

    $iSubSeqNo = 0

    $ObjCount = $objects.Count

    

    #check the protection of the child objects

    ForEach ($object in $objects)

    {

        $iSubSeqNo++

        $iSubpct = ([int]($iSubSeqNo/$ObjCount * 100))

        $SubActivity = “Analyzing object: “+ $object 

        Write-Progress -activity $SubActivity -status “Please wait” -percentcomplete $iSubpct -currentoperation “now processing object $iSubSeqNo of $ObjCount” -ParentId 1 -id 2

    

        $isProtected = 

        $isProtected = CheckProtection $object

        if ($isProtected -ne $null) {$report += $isProtected}

    }

        Write-Progress -activity “Analyzing object completed.” -status “Proceeding” -Completed -ParentId 1 -id 2

}

$report | Format-Table -Wrap

$report | Export-Csv -Path $csvFile -NoTypeInformation

Light version (without progress bar)

001002

 

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

<##############################################################################Author: Peter Geelen Quest For Security  October 2016

 

https://identityunderground.wordpress.com

This script finds all AD objects protected by accidental deletions.

Credits: This script uses logic that has been developed by:

– Ashley McGlone, Microsoft Premier Field Engineer, March 2013, http://aka.ms/GoateePFE

– Source: https://gallery.technet.microsoft.com/Active-Directory-OU-1d09f989

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code,

provided that You agree:

(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded;and

(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys  fees, that arise or result from the use or distribution of the Sample Code.

 

This posting is provided “AS IS” with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm.

##############################################################################>


#—————————————————————————–

#Source references


#—————————————————————————–


#Preventing Unwanted/Accidental deletions and Restore deleted objects in Active Directory

#abizer_hazratJune 9, 2009


#https://blogs.technet.microsoft.com/abizerh/2009/06/09/preventing-unwantedaccidental-deletions-and-restore-deleted-objects-in-active-directory/


#Windows Server 2008 Protection from Accidental Deletion

#James ONeill, October 31, 2007


#https://blogs.technet.microsoft.com/industry_insiders/2007/10/31/windows-server-2008-protection-from-accidental-deletion/


#—————————————————————————–

#Prerequisites: 


#this script only runs if you can load the AD PS module

#eg. run the analysis on a DC


#—————————————————————————–

cls

import-module activedirectory


#—————————————————————————–

#initialisation


#—————————————————————————–


#the CSV file is saved in the same directory as the PS file

$csvFile = $MyInvocation.MyCommand.Definition -replace ‘ps1’,‘csv’

$report = @()

#(*) Credits 

$schemaIDGUID = @{}


### NEED TO RECONCILE THE CONFLICTS ###

$ErrorActionPreference = ‘SilentlyContinue’

Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -LDAPFilter ‘(schemaIDGUID=*)’ -Properties name, schemaIDGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.schemaIDGUID,$_.name)}

Get-ADObject -SearchBase “CN=Extended-Rights,$((Get-ADRootDSE).configurationNamingContext)” -LDAPFilter ‘(objectClass=controlAccessRight)’ -Properties name, rightsGUID |

 ForEach-Object {$schemaIDGUID.add([System.GUID]$_.rightsGUID,$_.name)}

$ErrorActionPreference = ‘Continue’

#(*)


#—————————————————————————–

#Functions


#—————————————————————————–

function CheckProtection

{

    param($obj)

    $path = “AD:\” + $obj

    Get-Acl -Path $path | `

    Select-Object -ExpandProperty Access | `

    Where-Object {($_.ActiveDirectoryRights -like “*DeleteTree*”-AND ($_.AccessControlType -eq “Deny”)} | `

        #(*)

        Select-Object @{name=‘Object’;expression={$obj}}, `

        @{name=‘objectTypeName’;expression={if ($_.objectType.ToString() -eq ‘00000000-0000-0000-0000-000000000000’) {‘All’Else {$schemaIDGUID.Item($_.objectType)}}}, `

        @{name=‘inheritedObjectTypeName’;expression={$schemaIDGUID.Item($_.inheritedObjectType)}}, `

        #(*)

        ActiveDirectoryRights,

        ObjectFlags,

        AccessControlType,

        IdentityReference,

        IsInherited,

        InheritanceFlags,

        PropagationFlags

}


#—————————————————————————–

#MAIN


#—————————————————————————–

#add the top domain

$OUs = @(Get-ADDomain | Select-Object -ExpandProperty DistinguishedName)

#add the OUs

$OUs += Get-ADOrganizationalUnit -Filter * | Select-Object -ExpandProperty DistinguishedName

#add other containers

$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(|(objectClass=container)(objectClass=builtinDomain))’ | Select-Object -ExpandProperty DistinguishedName


#if you don’t want to scan the builtin container use line below instead of line above


#$OUs += Get-ADObject -SearchBase (Get-ADDomain).DistinguishedName -LDAPFilter ‘(objectClass=container)’ | Select-Object -ExpandProperty DistinguishedName


#set the target objects types to investigate


#including users, groups, contacts, computers

$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer))’


#$ldapfilter = ‘(|(objectclass=user)(objectclass=group)(objectclass=contact)(objectclass=computer)(objectclass=Foreign-Security-Principal))’


#not included: Foreign-Security-Principal, msTPM-InformationObjectsContainer, msDS-QuotaContainer, lostAndFound,

ForEach ($OU in $OUs

{

    #check the protection of the parent container

    $isProtected = 

    $isProtected = CheckProtection $OU

    if ($isProtected -ne $null) {$report += $isProtected}

    

    #Lookup the child target objects in the parent container

    $objects = Get-ADObject -SearchBase $OU -SearchScope OneLevel -LDAPFilter $ldapfilter | Select-Object -ExpandProperty DistinguishedName

    #check the protection of the child objects

    ForEach ($object in $objects)

    {

        $isProtected = 

        $isProtected = CheckProtection $object

        if ($isProtected -ne $null) {$report += $isProtected}

    }

}

$report | Format-Table -Wrap

$report | Export-Csv -Path $csvFile -NoTypeInformation

Disclaimer

LEGAL DISCLAIMER

This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment.

THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,

INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR  PURPOSE.

We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that You agree:

(i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded;

(ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and

(iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the Sample Code.

This posting is provided “AS IS” with no warranties, and confers no rights.

(Latest update: 2020-12-31)