Prevent hidden sheets in ThisWorkbook to be visible by using a macro and run from another workbook

Question

My workbook has some very hidden sheets (xlSheetVeryHidden), because I do not want the end users to even see the info inside this sheets.
But, I surprised that using this method is very weak ,because any end user can run the below code from another workbook and see all the hidden sheets on the main file.

Sub make_visible()
 
Dim wb As Workbook: Set wb = Workbooks("Test") ‘name of the main file
Dim sh As Worksheet
  For Each sh In wb.Sheets
  sh.Visible = xlSheetVisible
Next
 
End Sub

So, I need to isolated my workbook and prevent any macro found on other workbook to affect my main workbook.
Grateful for all useful comments and answer for this security issue.
Also,I locked my vba project , I have used a similar method like Unviewable+

So have the data in another location and call it instead of putting it that workbook. — Solar Mike, Jun 05 '22 at 09:25
Would a `Private Sub Worksheet_Activate() Me.Visible = xlSheetVeryHidden End Sub` be enouth? — Evil Blue Monkey, Jun 05 '22 at 13:20
@Evil Blue Monkey , It's not enough, as the end users can run code to `Disable events` and then show all sheets afterwards. — Leedo, Jun 05 '22 at 13:59
What level of threat are you dealing with? I mean: if those who are going to attack your file can use VBA to this level, i don't think you can do much with Excel. Even the sheet protection can be overrun with code. — Evil Blue Monkey, Jun 05 '22 at 16:03
@Evil Blue Monkey , instead of blame me for my question, See this article https://www.spreadsheet1.com/how-to-prevent-protected-excel-worksheets-from-being-hacked.html — Leedo, Jun 09 '22 at 08:39
There is no way you can protect the workbook with VBA if rest of users have access to VBA too. Maybe setting up a password like the answer below, but can be deleted with 7zip or Winrar (if users know how, of course). — Foxfire And Burns And Burns, Jun 09 '22 at 08:58
@Leedo: where, how and for what did i allegedly blame you? I was asking a quite fundamental question about your case so that it would have been easier to anyone to support you. If we don't know the level of the threat, we can't give you a proper solution. If your attackers knows VBA to the point `Disable events` is a thing to them, i'm quite confident that they know their stuff and they most certainly know a site like this where they will find or ask for a solution to the defence you might set up with Excel. — Evil Blue Monkey, Jun 09 '22 at 12:25
@Leedo: as example, solution like workbook protection will most likely be outdone by solutions like [this one](https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project). The same article you've posted said that there is no real (known) way to have a breach-proof system, just ones that are very hard to breach. Therefore that article supports my last comment more than nullifies it. — Evil Blue Monkey, Jun 09 '22 at 12:39

Cristian Buse · Accepted Answer · 2022-06-09T15:34:31.857

You could protect the workbook structure which would prevent the user to add/delete/hide/unhide sheets.

You can do it manually in the Excel interface in the Review ribbon tab:
screenshot

Or, you can do it programatically with something like:

'*******************************************************************************
'Protect the Structure of a given Book
'Returns TRUE if the Book is passworded with the provided pass otherwise FALSE
'*******************************************************************************
Public Function ProtectBookStructure(ByVal book As Workbook _
                                   , ByVal pass As String) As Boolean
    If book.ProtectStructure Then
        If UnprotectBookStructure(book, pass) Then
            'Previous password was the same or empty. Protect with new password
            ProtectBookStructure = ProtectBookStructure(book, pass)
        Else
            'Book is protected with a different password
            ProtectBookStructure = False
        End If
    Else
        On Error Resume Next
        book.Protect Password:=pass, Structure:=True
        On Error GoTo 0
        ProtectBookStructure = book.ProtectStructure
    End If
End Function

'*******************************************************************************
'Unprotect the Structure of a given Book
'Returns TRUE if successful or FALSE if not
'*******************************************************************************
Public Function UnprotectBookStructure(ByVal book As Workbook _
                                     , ByVal pass As String) As Boolean
    If book.ProtectStructure Then
        On Error Resume Next
        book.Unprotect pass
        On Error GoTo 0
    End If
    UnprotectBookStructure = Not book.ProtectStructure
End Function

The above methods can be called like:

ProtectBookStructure ThisWorkbook, "simplePassword"
UnprotectBookStructure ThisWorkbook, "simplePassword"

or you could make use of their return value to check if the protect/unprotect is succesful.

Edit #1

Having read the additional comments made under the OP's question, I must clarify a few things.

Excel files can only be made safe if you protect them via File/Info:

However, nobody can use such a protected file without the password. And once you give them the password then everything is accessible because:

A Workbook protection, as the one I suggested in the initial answer under Review/Protect Workbook, can easily be 'cracked' by saving the file in the old .xls format and then simply removing it (no prompt for password). Same is applicable for Worksheets. Also, a brute force VBA macro could achive the same thing on older versions of Excel. Also, the internal files (under the Excel file archive) can be edited to remove the passwords
The VBA project password can be cracked in at last 2 ways:

if opening the file with an archiver then one can edit the DPB=.. entry under \xl\vbaProject.bin\PROJECT
by using a macro to hook the password dialog via Win API

The suggestion I made in this answer only prevents 'normal' users to unhide the hidden worksheets but that does not stop more 'advanced' users to copy the information from those sheets via macros and most certainly does not prevent them to crack the passwords.

If you want total security on those hidden sheets then you should move the data outside of the Excel file as suggested by @SolarMike in the comments

By using Unviewable+ or similar alternatives, cracking of vba code is extremely hard for most users — Leedo, Jun 10 '22 at 06:43

Prevent hidden sheets in ThisWorkbook to be visible by using a macro and run from another workbook

1 Answers1

Edit #1