Overview of Webex security

The Webex Meetings Suite helps enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Webex. Webex helps to simplify business processes and improve results for sales, marketing, training, project management, and support teams.

For all organizations and their users, security is a fundamental concern. Online collaboration must provide multiple levels of security; from scheduling meetings to authenticating participants to sharing content.

Webex provides a secure environment that you can configure as an open place to collaborate. Understanding the security features as site administrators and end users can allow you to tailor your Webex site to your business needs.

For additional information, see the Webex security technical paper.

Best practices for Webex administrators

Effective security begins with Webex site administration; which allows administrators to manage and enforce security policies for host and presenter privileges. For example, an authorized administrator can customize session configurations to disable a presenter’s ability to share applications, or to transfer files on a per-site or a per-user basis.

We absolutely recommend that you keep your number of administrators to a minimum. Fewer administrators means fewer opportunities for site setting errors.

After you review the best practices for site administrators, be sure to review the best practices for secure meetings for hosts.

We recommend using the following features for protection of your meetings:

Telephony callback fraud can happen when someone joins one of your meetings and uses callback to call suspicious phone numbers from different countries, which cost your organization money. These suspicious phone numbers can come from anywhere in the world. However, we've observed that a higher percentage of fraud originates from the following locations:

  • Belgium

  • Costa Rica

  • Ecuador

  • Egypt

  • Ethiopia

  • France

  • Moldova

  • Niger

  • Panama

  • Philippines

  • Portugal

  • Saudi Arabia

  • South Africa

  • Sri Lanka

  • Taiwan

  • Turkey

  • Ukraine

  • United Arab Emirates

  • United Kingdom

  • Vietnam

To help reduce fraud, we recommend that you disallow certain countries in the Webex Allowed Callback Countries list. For example, you can add countries that you don’t do business with, or from which you've received fraudulent or suspicious calls.

1

Sign in to Site Administration, and go to Configuration > Common Site Settings > Audio Settings.

2

In the Webex Allowed Callback Countries section, check or uncheck the corresponding check box for a country or region to enable or disable it.


 

You must leave at least one country or region enabled for callback.

3

After you finish making changes, click Save.

Your changes can take up to 30 minutes to update in the app.

Even meeting titles can reveal sensitive information. For example, a meeting entitled “Discuss acquisition of Company A” can have financial impacts, if revealed ahead of time. Creating unlisted meetings maintains the security of sensitive information.

For listed meetings, the meeting topic and other details appear on your site for authenticated users, as well as unauthenticated users and guests to see. We recommend that you mark all meetings as unlisted, unless your organization has a specific business need to display meeting titles and information publicly.

1

Sign in to Site Administration, and navigate to Configuration > Common Site Settings > Options.

2

Under Security Options in the Webex section:

  • Go to the Webex Meetings section, and check All meetings must be unlisted. This setting also applies to Events (new).

  • Go to the Webex Events section, and check All events must be unlisted. This setting applies to Events (classic).

  • Go to the Webex Training section, and check All sessions must be unlisted.

3

Select Update.

We recommend that you enforce password requirement on users joining from phone or video conferencing systems. The system automatically generates an eight-digit numeric password for phone and video conferencing system attendees and adds it to the meeting invitation. This measure ensures that only people with an invitation can join the meeting when using a phone or video conferencing system.

1

Sign in to Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

In the Webex section:

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by phone. This setting also applies to Events (new).

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by video conferencing systems. This setting also applies to Events (new).

  • Go to the Webex Events section, and check Enforce event password when joining by phone. This setting applies to Events (classic).

  • Go to the Webex Training section, and check Enforce training password when joining by phone.


 

If any of these options aren't available, contact Webex support to enable them.

3

Select Update.

If your organization works with sensitive information, we recommend that you require all users to have an account on your Webex site. When enabled, Webex prompts all hosts and attendees for their credentials when they join a meeting, event, or training session.

In addition, we recommend that you require attendees to sign in when dialing in from a phone. This requirement prevents anyone getting into the meeting or training session without proper credentials.


Participants who join using the Webex application must authenticate, so Webex doesn't prompt them to authenticate when they connect to audio. Thus, this restriction impacts users who join only by phone.

Also, consider restricting video conferencing systems from dialing into a meeting that requires attendees to sign in. For more information, see Enforce meeting password when joining from phone or video conferencing systems.

Keep in mind, that using this option limits your meeting, event, or session to internal attendees. This option is an excellent way to keep your meetings secure, but can be limiting if the host needs to have an external guest.

1

Sign in to Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

In the Webex section, check Require login before site access (Webex Meetings, Webex Events, Webex Training).

3

To require sign-in, when joining a meeting or training session by phone, check the following boxes:

  • Under the Webex Meetings section, check Require users to have an account when joining by phone.

  • Under the Webex Training section, check Require users to have an account when joining by phone.

When checked and the host requires sign-in, attendees must sign in from their phones. Attendees must have added a phone number and PIN to their profile settings to do so.

4

Select Update.

We recommend that you prevent attendees from joining before the host, unless you fully understand the security risk and require this functionality.

Consider disabling the join before host options for your site, particularly for listed meetings. Otherwise, external attendees could leverage scheduled meetings for their own purposes, without the knowledge or consent of the host.

Similarly, if you allow attendees to join before host, consider not allowing them to join audio before host. If your meeting is listed on your site or is not password-protected, unauthorized users could potentially gain access and initiate expensive calls without the host's knowledge or consent.

For Personal Conference Meetings (PCN Meetings), we recommend disabling the join audio before host option. The host must dial the Webex access number for the audio bridge, and then enter the host access code and host PIN, before attendees can join the meeting.

1

Sign in to Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

To prevent attendees from joining before the host, uncheck the following boxes:

  • Allow attendees or panelists to join before host (Meetings, Training and Events)

  • The first attendee to join will be the presenter (Meetings)


     

    This setting also applies to Events (new).

  • Allow attendees to join the audio conference (Meetings)


     

    This setting also applies to Events (new).

  • Allow attendees or panelists to join the audio conference (Training)

  • Allow attendees or panelists to join the audio conference (Events)


     

    This setting applies to Events (classic).

  • Allow attendee to join the audio portion of Personal Conference before host

3

Select Update.

We recommend that you enforce automatic locking of Personal Rooms after a set time. Hosts can use the site-level default setting, or set the number of minutes the room remains unlocked after the start of their meetings.

1

Sign in to Site Administration, and navigate to Configuration > Common Site Settings > Options.

2

In the Site Options section, check Enable Personal Room (When enabled, you can turn this on or off for individual users).

Clear the checkbox.

3

Check Automatically lock Personal Rooms [x] minutes after meeting starts, and choose the number of minutes from the menu.

If you set the number of minutes to 0, your personal room is always locked.

4

Select Update.

Hiding meeting and event links within meetings deters attendees from inviting unwanted guests by making the links less convenient to copy and share. It doesn’t prevent attendees from copying and sharing meeting links from their email invitations.

1

Sign into Webex Administration, and go to Configuration > Common Site Settings > Options.

2

Scroll down to Security Options > Other and check Hide meeting link from attendee view within meetings (Meetings and Events).

This option is unchecked by default.


 
When hidden, the Copy Meeting Link option appears dimmed for attendees in the Meeting Info window, the More Options menu, and the Meeting menu. Hosts can still share meeting links within meetings.

Everyone in your organization can join a meeting in an unlocked Personal Room. We recommend that you lock your Personal Room and require guests to wait in the lobby.

As the host, you can see a list of attendees waiting in the lobby. This list indicates authentication status. If you locked the room, the list shows only guests, who didn't authenticate. In either case, you can review the list and choose who to admit to your Personal Room meeting.

1

Sign in to Site Administration, and go to Configuration > Common Site Settings > Options.

2

In the Site Options section, check Enable Personal Room (When enabled, you can turn this on or off for individual users).

3

For Personal Room security settings, click here and select one of the following options:

When a meeting is unlocked,

  • Guests can join directly.

    We don't recommend this option. Anyone who has the join URL can enter Personal Rooms without any authentication.

  • Guests can wait in the lobby until the host admits them.

    This option is the minimum recommended level of security. Authenticated attendees join the meeting directly, while guests wait in the lobby. Hosts can admit individual guests who are legitimate attendees, and deny entry to the attendees who aren't.

  • Guests can't join.

    This option is the highest level of security for unauthenticated users.

4

(Optional) Click the lock icon—Automatically lock.

If you automatically lock the room, the icon turns red. Hosts can't change the lock settings for their meetings.

5

(Optional) Check,Automatically lock Personal Rooms [x] minutes after meeting starts and choose the number of minutes from the menu.

To keep your personal room locked, set the number of minutes to 0.

6

Select one of the following options:

When a meeting is locked,

  • Everyone waits in the lobby until the host admits them.

  • No one can join the meeting.

7

Select Update.

You can customize session types to control content sharing and other Webex features, like file transfers. For more information, see Create custom session types for your Cisco Webex site, in Site Administration.

If you permit content sharing at the site level, meeting hosts can choose whether to allow all participants to share. If you don't enable the option, you can assign the Presenter role to select participants or attendees. For more information, see Allow participants to share during meetings.

By default, all MacOS users can use third-party virtual cameras. Third-party virtual cameras require Webex to load their libraries and permit access to the camera. This requirement ensures that virtual cameras inherit all permissions that you grant participants, such as microphone and screen capture. If you disable the use of third-party virtual cameras for your site, only Webex can access these permissions.

To increase security for meetings on your site, you can prevent third-party virtual cameras from loading in Webex Meetings.

You'll find the following settings in Webex Site Administration: Configuration > Common Site Settings > Options > Security Options.


The options marked with an asterisk (*) are available only for sites managed in Site Administration that don’t have single sign-on enabled.

Account management

  • *Lock out an account after a configurable number of failed login attempts

  • Deactivate an account after a configurable number of inactive days

Account signup

  • *Add a security check in the signup form which requires new users to type the letters or digits of a distorted image that appears on the screen

  • *Require email confirmation of new accounts

Password management

  • Require specific rules for password format, length, and reuse

  • Create a list of prohibited passwords (for example, “password”)

Password aging

  • *Force users to change password at regular intervals

  • Set a minimum time interval when users can change their password