Secrets Revealed to Secure and Lock Your MS Access Database — Security Level 2

If you have built an MS Access database and you are getting ready to share it with users, you need to lock it down before you do. Without proper security, any user who knows a simple keyboard shortcut can bypass your login form, browse your raw tables and queries, and even import your entire database structure into a blank file — all without knowing a single line of code.

This tutorial walks you through every step covered in the Secrets Revealed to Secure and Lock Database | Security Level 2 video, explaining what each step does, why it matters, and exactly how to implement it. By the end, your database will have a locked login form, hidden objects, a hard-disk-bound licence check, a hidden ribbon and navigation pane, compiled and tamper-proof code, and a professional custom icon and splash screen.

What You Will Need — The Four Key Files

The tutorial is built around four special files that you will use alongside your main database (.accdb). Understanding the purpose of each file before you begin will save you a lot of confusion later.

Step 1 — Understanding the Shift Key Bypass Problem

Before you do anything else, you must understand the security gap that exists in every MS Access database by default.

When a user holds down the Shift key while double-clicking to open your database, Access skips everything you have set up — the AutoExec macro, the startup form, the display settings, all of it. The user lands directly in the back end of your database, sees all your tables and queries, and can browse or export your data freely. This is a built-in feature of Access designed for developers, but it is a serious vulnerability when you deploy to end users.

This means that even if you have a perfectly designed login form that appears on startup, any user who knows the Shift key trick can simply walk around it and get straight into your data.

The fix is to set the AllowBypassKey database property to False using VBA. When this property is False, holding Shift at startup does absolutely nothing — your AutoExec macro and startup form run every single time, no exceptions.

Step 2 — Implementing the Disable Shift Key Function

Here is the VBA code that disables the Shift key bypass. This goes inside a standard module in your database:

vba

Function DisableShiftKey()
    On Error GoTo ErrDisableShift
    Dim db As DAO.Database
    Dim prop As DAO.Property
    Const conPropNotFound = 3270

    Set db = CurrentDb()
    db.Properties("AllowByPassKey") = False
    Exit Function

ErrDisableShift:
    If Err = conPropNotFound Then
        Set prop = db.CreateProperty("AllowByPassKey", dbBoolean, False)
        db.Properties.Append prop
        Resume Next
    Else
        MsgBox "Could not disable Shift key bypass."
        Exit Function
    End If
End Function

How it works: The code tries to set the AllowByPassKey property on the current database to False. If the property does not exist yet (error 3270), it creates it and appends it. Once set, the Shift key bypass is permanently closed.

Important — keep a re-enable function too. Before you disable the Shift key, make sure you have a second function called EnableShiftKey (the same code but setting the property to True) accessible through a hidden admin button on your main form or through the Immediate Window. If you disable the Shift key and later need developer access, you will need this function to unlock your own database.

Calling the function from AutoExec: Once this function is in a module, call it inside your Startup function, which is itself called by the AutoExec macro. This ensures the Shift key is disabled every time the database opens, not just once.

Step 3 — Warning Before Hiding Tables and Queries

Before you run the Hide Tables or Hide Queries functions, read this carefully.

When you mark a table or query as Hidden, it disappears from the Navigation Pane — but it is not deleted. The object still exists inside the database file. A user who goes to Navigation Options and checks Show Hidden Objects will be able to see your tables and queries again.

More importantly — and this is the critical warning — a hidden table or query can still be imported by opening a separate blank Access database and using the External Data import function. When a user imports from your file, Access will show them all objects including hidden ones. This means hiding alone is not a complete solution.

The Hide Tables and Hide Queries functions are a first layer of defence, not the last word. They are most effective when combined with the other steps in this tutorial — especially the ACCDE conversion and the navigation pane lock — which together make it genuinely difficult for ordinary users to reach your objects.

Step 4 — Implementing the Hide Tables Function

Once you understand the warning above, here is how to use the Hide Tables function:

vba

Function HideAllTables()
    Dim obj As AccessObject
    For Each obj In CurrentData.AllTables
        If Left(obj.Name, 4) <> "MSys" Then
            obj.IsHidden = True
        End If
    Next obj
    MsgBox "All tables are now hidden."
End Function

The If Left(obj.Name, 4) <> "MSys" check is important — it skips the system tables (MSysObjects, MSysQueries, etc.) that Access needs to run. You do not want to hide those.

Run this function once from the Immediate Window (Ctrl+G, type HideAllTables, press Enter). The tables will immediately disappear from the Navigation Pane for any user who does not have Show Hidden Objects enabled.

Step 5 — Implementing the Hide Queries Function

The Hide Queries function follows the same pattern:

vba

Function HideAllQueries()
    Dim obj As AccessObject
    For Each obj In CurrentData.AllQueries
        If Left(obj.Name, 4) <> "MSys" Then
            obj.IsHidden = True
        End If
    Next obj
    MsgBox "All queries are now hidden."
End Function

Run this once from the Immediate Window as well. Your queries will vanish from the Navigation Pane alongside your tables.

Step 6 — Why Tables and Queries Can Still Be Imported (and What Stops It)

As explained in the warning above, hiding tables and queries does not stop them from being imported into another database file. This is a known limitation of MS Access security.

The video addresses this directly. The steps that actually prevent importing are:

Navigation Pane Lock + Shift Key Disabled: With the navigation pane completely hidden and the Shift key bypass closed, a regular user cannot even get to the File > External Data menu to start an import operation.

ACCDE Conversion (covered later in this tutorial): Converting your database to ACCDE format locks down forms, reports, and all VBA code so they cannot be viewed or edited. While ACCDE does not lock tables and queries by itself, when combined with a hidden navigation pane and a disabled Shift key, ordinary users have no pathway to reach them.

Network/File-Level Permissions: Restricting access to the folder where the database file is stored using Windows NTFS permissions means that users who should not have access cannot even open the file in another program to import from it.

The combination of all these layers is what makes the database genuinely secure.

Step 7 — Locking Down Forms, Reports, and VBA by Converting to ACCDE

Forms, reports, and all VBA module code can be completely locked by converting your .accdb database into an .accde file.

An ACCDE file is a compiled, read-only version of your database. Once converted:

• No user can open any form or report in Design View
• No user can view, copy, or modify your VBA source code
• The file size is typically smaller because the source code is stripped out

How to convert to ACCDE:

1. Open your .accdb file in MS Access
2. Go to File > Save As
3. Under Advanced, select Make ACCDE
4. Click Save As and choose a location

Access will compile all modules, check for any errors, and produce the .accde file. This is the file you distribute to your users. Keep the original .accdb file in a safe location — you will need it any time you want to make changes, because an ACCDE cannot be converted back.

Step 8 — Generating a Hard Disk Serial Number and Binding the Database to a Machine

One of the most powerful security features shown in the video is binding the database to a specific computer using the hard disk serial number. This stops a user from copying your .accde file to another machine and running it without authorisation.

How it works: When the database opens, the Startup function reads the serial number of the computer’s hard disk using a Windows API call or WMI query. It then compares that number against a stored, authorised serial number. If they match, the database opens normally. If they do not match, the database closes immediately or shows an error message.

VBA code to get the hard disk serial number:

vba

Function GetHDSerial() As String
    Dim strSerial As String
    Dim objWMI As Object
    Dim objDisk As Object
    Dim colDisks As Object

    Set objWMI = GetObject("winmgmts:\\.\root\cimv2")
    Set colDisks = objWMI.ExecQuery("SELECT * FROM Win32_DiskDrive WHERE Index = 0")

    For Each objDisk In colDisks
        strSerial = objDisk.SerialNumber
    Next

    GetHDSerial = Trim(strSerial)
End Function

Implementing in the Startup function:

vba

Function Startup()
    Dim strAuthorisedSerial As String
    strAuthorisedSerial = "YOUR_STORED_SERIAL_HERE"  ' Replace with actual serial

    If GetHDSerial() <> strAuthorisedSerial Then
        MsgBox "This database is not authorised to run on this computer.", vbCritical
        Application.Quit
    End If

    ' Continue with rest of startup if serial matches...
    Call DisableShiftKey
    Call HideRibbonAndNav
End Function

To find the serial number of your target machine, run GetHDSerial() in the Immediate Window on that computer, note the result, and store it in your Startup function (or in a secure settings table). You can store multiple authorised serials if the database needs to run on more than one machine.

Step 9 — Changing the Application Icon

By default, MS Access shows its own icon in the title bar and taskbar. You can replace this with your own custom icon to give the database a professional, branded look.

Steps:

1. Prepare a .ico file with your custom icon (16×16 and 32×32 pixels minimum)
2. Go to File > Options > Current Database
3. Under Application Icon, click Browse and select your .ico file
4. Check Use as Form and Report Icon if you want it to appear on individual forms too
5. Also fill in the Application Title field — this replaces “Microsoft Access” in the title bar with your own application name
6. Click OK and restart the database

You can also set the application icon programmatically inside your Startup function using the Application.AppIcon property, which is useful if you want to change it dynamically or set it as part of your security initialisation routine.

Step 10 — Permanently Hiding the Ribbon and Navigation Pane Using the Startup Function

Hiding the ribbon and navigation pane through File > Options is not permanent — a user who bypasses startup (before you disabled the Shift key) could re-enable them. The proper way to hide them permanently is through your Startup function using VBA, so they are hidden programmatically every time the database opens.

Add these lines to your Startup function:

vba

' Hide the ribbon completely
DoCmd.ShowToolbar "Ribbon", acToolbarNo

' Hide and lock the Navigation Pane
DoCmd.NavigateTo "acNavigationCategoryObjectType"
DoCmd.LockNavigationPane True
Application.SetOption "Show Navigation Pane", False

' Disable special keys (prevents F11 from showing Navigation Pane)
CurrentDb.Properties("AllowSpecialKeys") = False

' Disable full menus and shortcut menus
CurrentDb.Properties("AllowFullMenus") = False
CurrentDb.Properties("AllowShortcutMenus") = False

' Hide the database window/status bar
CurrentDb.Properties("StartUpShowDBWindow") = False
CurrentDb.Properties("StartUpShowStatusBar") = False

Why disabling special keys matters: Even if you hide the Navigation Pane through code, a user can press F11 to toggle it back into view — unless you also set AllowSpecialKeys to False. This one property blocks F11, Ctrl+G (which opens the VBA editor), Ctrl+Break, and other built-in Access keyboard shortcuts that could give a user developer-level access.

With all of these properties set in your Startup function, and the Shift key bypass disabled, a regular user will see only your forms — nothing else.

Step 11 — Converting ACCDB to ACCDE

This step has been mentioned earlier but deserves its own summary because it is the single most important compilation step before distribution.

Step-by-step conversion:

1. Open the original .accdb file (not a copy you are already distributing)
2. In the VBA Editor (Alt+F11), click Debug > Compile Database and resolve any errors
3. Close the VBA Editor
4. Go to File > Save As > Advanced > Make ACCDE
5. Name the file and save it — Access creates a new .accde file alongside your original
6. Test the .accde file thoroughly — open it, log in, test all forms and reports
7. Distribute the .accde file to your users

Step 12 — Changing the MS Access Startup Splash Screen

By default, when Access opens your database, it briefly shows the standard MS Access splash screen. You can replace this with a custom splash screen that shows your application name, version, logo, or company branding.

Using a custom splash image at startup:

1. Create a bitmap image (.bmp) with your branding — the recommended size is around 500×350 pixels
2. Name the file exactly the same as your database file — for example, if your database is StockManager.accdb, name the image StockManager.bmp
3. Place the .bmp file in the same folder as your .accdb or .accde file
4. Next time the database opens, Access will automatically detect the matching .bmp file and use it as the splash screen instead of the default one

This is a simple but effective branding touch that makes your application look polished and professional right from the first second a user opens it.

Step 13 — Changing the Application Shortcut Icon

The final step is changing the icon of the shortcut that users click to open the database. By default, the shortcut shows the MS Access icon. You can change it to your own .ico file.

If users open the database via a Windows shortcut:

1. Right-click the shortcut and choose Properties
2. Click the Shortcut tab
3. Click Change Icon
4. Browse to your .ico file and select it
5. Click OK and Apply

If you are distributing the database directly (no shortcut):

1. Use a tool like Resource Hacker or a custom installer to embed your icon into a wrapper executable
2. Alternatively, create a shortcut during installation that points to the .accde file with your icon applied as described above

For most small business deployments, creating a desktop shortcut with a custom icon is sufficient and gives the application a professional, non-Access appearance.

Putting It All Together — The Complete Startup Function

Here is a summary of how your complete Startup function should look, combining every step above:

vba

Function Startup()

    ' Step 1: Check hard disk serial number
    Dim strAuthorisedSerial As String
    strAuthorisedSerial = "YOUR_SERIAL_HERE"
    If GetHDSerial() <> strAuthorisedSerial Then
        MsgBox "Unauthorised computer. This application will now close.", vbCritical
        Application.Quit
        Exit Function
    End If

    ' Step 2: Disable Shift key bypass
    Call DisableShiftKey

    ' Step 3: Hide ribbon
    DoCmd.ShowToolbar "Ribbon", acToolbarNo

    ' Step 4: Hide and lock Navigation Pane
    Application.SetOption "Show Navigation Pane", False
    DoCmd.LockNavigationPane True

    ' Step 5: Disable special keys, menus, and toolbars
    CurrentDb.Properties("AllowSpecialKeys") = False
    CurrentDb.Properties("AllowFullMenus") = False
    CurrentDb.Properties("AllowShortcutMenus") = False
    CurrentDb.Properties("StartUpShowDBWindow") = False
    CurrentDb.Properties("StartUpShowStatusBar") = False

    ' Step 6: Open your login form
    DoCmd.OpenForm "frmLogin"

End Function

And your AutoExec macro should have a single action: RunCode with the function name Startup(). That is all it needs. Every time the database opens, AutoExec runs, which calls Startup, which does everything else.

Quick Checklist Before You Distribute

Use this list to confirm your database is properly secured before you hand it to users:

• AutoExec macro exists and calls the Startup function
• Startup function disables the Shift key bypass on every open
• Hard disk serial number check is active in Startup
• All tables are hidden via the Hide Tables function
• All queries are hidden via the Hide Queries function
• Ribbon is hidden via Startup
• Navigation Pane is hidden and locked via Startup
• AllowSpecialKeys is set to False (blocks F11 and Ctrl+G)
• Application title and icon have been changed
• Custom splash screen .bmp is in the same folder as the database file
• Database has been compiled to ACCDE and tested
• Shortcut icon on user desktops has been updated to your custom .ico
• You have a safe copy of the original .accdb stored somewhere only you can access

Frequently Asked Questions

Q: What if I accidentally lock myself out of my own database? As long as you have the original .accdb file, you can always open it in Access while the Shift key bypass is still enabled (before you ran the Disable Shift function on that copy). Always keep a developer copy of the .accdb with the Shift key bypass enabled in a location only you can reach.

Q: Can a user still import my tables from the ACCDE file? Technically, the raw file still exists on disk. The combination of hiding objects, locking the navigation pane, disabling special keys, and applying Windows folder permissions makes this very difficult in practice for non-technical users. For highly sensitive data, consider moving to a SQL Server back end.

Q: Do I need to re-run HideAllTables and HideAllQueries every time I add a new table? Yes. If you add a new table or query after running the hide functions, the new object will be visible. Run the functions again from the Immediate Window in your developer copy to hide the new objects, then recompile to ACCDE.

Q: Will the hard disk serial number change? The serial number of a physical hard drive is set by the manufacturer and does not change. However, if the user’s computer is replaced, you will need to update the authorised serial in your database. Build an admin screen or a re-authorisation process for this scenario.

Final Thoughts

Securing an MS Access database properly is not a single step — it is a series of layers that work together. The AutoExec macro starts everything. The Startup function does the heavy lifting: disabling the Shift bypass, checking the machine serial, hiding the interface, and locking the user into your forms. The Hide Tables and Hide Queries functions remove direct object access. The ACCDE conversion seals the code. And the serial number check means your database only runs where you allow it.

None of these steps are complicated on their own, but applying them in the right order — and understanding why each one exists — is what this tutorial is all about.

Watch the full video Secrets Revealed to Secure and Lock Database | Security Level 2 to see each step demonstrated live in MS Access.

Download the practice files at skillheader.com