Overview of Webex security

The Webex Meetings Suite helps enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Webex. Webex helps to simplify business processes and improve results for sales, marketing, training, project management, and support teams.

For all organizations and their users, security is a fundamental concern. Online collaboration must provide multiple levels of security, from scheduling meetings to authenticating participants to sharing content.

Webex provides a secure environment that you can configure as an open place to collaborate. Understanding the security features as site administrators and end users can allow you to tailor your Webex site to your business needs.

For additional information, see the Webex security technical paper.

Best practices for Webex administrators

Effective security begins with Webex site administration; which allows administrators to manage and enforce security policies for host and presenter privileges. For example, an authorized administrator can customize session configurations to disable a presenter’s ability to share applications, or to transfer files on a per-site or a per-user basis.

We absolutely recommend that you keep your number of administrators to a minimum. Fewer administrators means fewer opportunities for site setting errors.

After you review the best practices for site administrators, be sure to review the best practices for secure meetings for hosts.

We recommend using the following features for protection of your meetings:

Telephony callback fraud can happen when someone joins one of your meetings and uses callback to call suspicious phone numbers from different countries, which cost your organization money. These suspicious phone numbers can come from anywhere in the world; however, we observed that the countries and regions that have a higher percentage of fraud originates from:

  • Belgium

  • Costa Rica

  • Ecuador

  • Egypt

  • Ethiopia

  • France

  • Moldova

  • Niger

  • Panama

  • Philippines

  • Portugal

  • Saudi Arabia

  • South Africa

  • Sri Lanka

  • Taiwan

  • Turkey

  • Ukraine

  • United Arab Emirates

  • United Kingdom

  • Vietnam

If there are countries you don’t do business with, or if you want to prevent fraudulent or suspicious calls to your meetings from certain countries or regions, you can uncheck them from the Webex Allowed Callback Countries list.

1

From the customer view in https://admin.webex.com, under Services, select Meetings.

2

Select the site that you want to change the settings for, and choose Configure Site.

3

Select Common Settings > Audio Settings

4

In the Webex Allowed Callback Countries section, check or uncheck the check box next to a country or region to enable or disable it.


 

You must leave at least one country or region enabled for callback.

5

When you're done making changes, click Save.

Your changes can take up to 30 minutes to update in the app.

Even meeting titles can reveal sensitive information. For example, a meeting entitled “Discuss acquisition of Company A” can have financial impacts, if revealed ahead of time. Creating unlisted meetings maintains the security of sensitive information.

For listed meetings, the meeting topic and other information is displayed on your site for authenticated users as well as unauthenticated users and guests to see. Unless your organization has a specific business need to display meeting titles and information publicly, all meetings should be marked as unlisted.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Security.

4

Under Security Options the Webex section:

  • Go to the Webex Meetings section, and check All meetings must be unlisted. This setting also applies to Webex Webinars.

  • Go to the Webex Events section, and check All events must be unlisted. This setting applies to Events (classic).

  • Go to the Webex Training section, and check All sessions must be unlisted.

5

Select Update.

In addition to requiring passwords when users join from a meeting application (for example, on Windows or Mac), you should also enforce password requirement on users joining from phone or video conferencing systems. When this option is selected, the system automatically generates an eight-digit numeric password for phone and video conferencing system attendees and adds it to the meeting invitation. This ensures that only people with an invitation can join the meeting when using a phone or video conferencing system.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Security.

4

Under Security Options in the Webex section:

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by phone.


     

    This setting also applies to Webex Webinars.

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by video conferencing systems. This setting also applies to Webex Webinars.

  • Go to the Webex Events section, and check Enforce event password when joining by phone. This setting applies to Events (classic).

  • Go to the Webex Training section, and check Enforce training password when joining by phone.


 

If any of these options aren't available, contact Webex support to enable them.

5

Select Update.

We recommend that you require all users to have an account on your Webex site if sensitive meetings, events, or training sessions are hosted there. When enabled, besides hosts, attendees are also asked for their credentials when they attempt to join a meeting, webinar, event, or training session.

In addition to requiring sign-in to your site, we recommend that you require attendees to sign-in when dialing in from a phone. This prevents anyone getting into the meeting or training session without proper credentials.


Participants who join using the Webex Meetings or Webex Training application have to authenticate, so they will not be asked for authentication when connecting to audio. Thus, this restriction impacts users who join only by phone.

Also, consider restricting video conferencing systems from dialing into a meeting that requires attendees to sign in. Since users cannot sign in from a video conferencing system, allowing video conferencing systems to join puts meetings at risk of being joined by an unauthorized user.

Keep in mind, that using this option limits your meeting, event, or session to internal attendees. This is an excellent way to keep your meetings secure, but can be limiting if the host needs to have an external guest.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Security.

4

To require that all users must have an account on your Webex site to host or attend Webex meetings, webinars, events, or training sessions, go to the Webex section and check Require login before site access (Webex Meetings, Webex Events, Webex Training).

5

To require sign in when joining a meeting or training session by phone, under Security Options in the Webex section:

  • Under the Webex Meetings section, check Require users to have an account when joining by phone. This setting also applies to Webex Webinars.

  • Under the Webex Training section, check Require users to have an account when joining by phone.

When checked and the host requires sign-in, attendees must sign in from their phones. Attendees must have added a phone number and PIN to their profile settings to do so.

6

To prevent video conferencing systems from joining a meeting when sign-in is required, under Webex Meetings in the Webex section, select Blocked (Webex Meetings only).

7

Select Update.

For all meetings, don’t enable the ability for attendees to join before the host unless you fully understand the security impact and require this functionality.

Consider disabling the join before host options for your site. We recommend that you disable these options for listed meetings. Otherwise, external attendees could leverage the scheduled meeting for their own purposes, without the knowledge or consent of the host.

Similarly, if you allow attendees to join before host, consider not allowing them to join audio before host. This measure is important for meetings listed on your site or not password-protected. Unauthorized users could potentially gain access and initiate expensive calls without the knowledge or consent of the host.

For Personal Conference Meetings (PCN Meetings), we recommend that you disable the join audio before host option. Hosts would have to join the audio bridge using their host access code and PIN, before attendees could join the meeting.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Security.

4

To prevent attendees from joining before the host, go to the Webex section and uncheck the following boxes:

  • Allow attendees or panelists to join before host (Meetings, Training and Events)

  • The first attendee to join will be the presenter (Meetings)


     

    This setting also applies to Webex Webinars.

  • Allow attendees to join the audio conference (Meetings)


     

    This setting also applies to Webex Webinars.

  • Allow attendees or panelists to join the audio conference (Training)

  • Allow attendees or panelists to join the audio conference (Events)


     

    This setting applies to Events (classic).

  • Allow attendee to join the audio portion of Personal Conference before host

5

Select Update.

We recommend that you enforce the automatic locking of Personal Rooms after a designated time. This setting applies at the site level. Hosts can accept the default time that you set, or they can change the number of minutes after a meeting starts, before their Personal Room locks. To have their Personal Room always locked, hosts can choose zero minutes.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

In the Site Options section, check Automatically lock Personal Rooms after [x] minutes after meeting starts for any users who have not defined their Preferences > My Personal Room > Automatic lock setting.

5

From the drop-down list, select the number of minutes after the meeting starts, before their Personal Room locks.

6

Select Update.

Hiding the links within meetings deters attendees from inviting unwanted guests by making the links less convenient to copy and share. It doesn’t prevent attendees from copying and sharing meeting links from their email invitations.

1

From the customer view in https://admin.webex.com/, go to Services, and select Meeting.

2

Choose the Webex site that you would like to update.

3

Select Configure Site > Common Settings > Site Options.

4

Check Hide meeting link from attendee view within meetings (Meetings and Events).

Default setting: disabled (unchecked).


 
When enabled, this option disables the Copy Meeting Link feature for attendees in the Meeting Info window, the More Options menu, and the Meeting menu. Hosts can still share meeting links within meetings.

We recommend, as a minimum, the following security measures for unlocked Personal Rooms:

  • Allow authenticated attendees to enter an unlocked Personal Room.

  • Require unauthenticated attendees to wait in the lobby of the unlocked Personal Room, until the host manually admits them.

Host can see the list of attendees waiting in their lobby. The list indicates who has signed in and who hasn’t. In an unlocked room, the list of attendees waiting in the lobby shows only people who haven’t signed in. Authenticated attendees join the meeting automatically. In both cases, the host can review the list and choose who to allow into the Personal Room meeting.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

In the Site Options section, go to Personal Room Security to view the following options:

  • Guests can join directly

    We don't recommend this option. Anyone who has the join URL can enter a Personal Room, without authentication.

  • Guests wait in the lobby until the host admits them

    This setting provides the minimum recommended level of security. The host can see the list of all guests, and see who is authenticated and unauthenticated. The host can admit legitimate attendees, and deny entry to others.

  • Guests can't join

    The recommended level of security for unauthenticated users.

5

Select Update.

For MacOS, the use of third-party virtual cameras is enabled by default for all users in your organization. Third-party virtual cameras require Webex to load their libraries to give them access to the camera. Libraries loaded by the Webex process inherit all meeting permissions, such as microphone and screen capture, that your users grant Webex. If you disable the use of third-party virtual cameras for your organization, only Webex can access these permissions.

To increase meeting security for your entire organization, turn off third-party virtual camera selection for macOS. If you want to disable virtual cameras for certain sites, see Enable or Disable Virtual Cameras in Webex Meetings.

To manage policy settings for all users on your site, the following features are also available in Webex Control Hub. Find these features at: Configure Site > Common Settings > Security > Security Options.

Account Management

  • Deactivate an account after a configurable number of inactive days.

Password management

  • Require specific rules for password format, length, and reuse.

  • Create a list of prohibited passwords (for example, “password”).

Password aging

  • Set a time interval when users can change their password.