Overview of Webex Security

Cisco Webex Meetings Suite helps enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Cisco Webex to simplify business processes and improve results for sales, marketing, training, project management, and support teams.

For all organizations and their users, security is a fundamental concern. Online collaboration must provide multiple levels of security; from scheduling meetings to authenticating participants to sharing content.

Cisco Webex Meetings provides a secure environment yet it can be configured as an open place to collaborate. Understanding the security features as site administrators and end users can allow you to tailor your Webex site to your business needs.

For additional information, see the Webex Security White Paper.

Best Practices Webex Administrators

Effective security begins with Webex site administration; which allows administrators to manage and enforce security policies for host and presenter privileges. For example, an authorized administrator can customize session configurations to disable a presenter’s ability to share applications, or to transfer files on a per-site or a per-user basis.

We absolutely recommend that you keep your number of administrators to a minimum. Fewer administrators means fewer opportunities for site setting errors.

Once you've reviewed the best practices for site administrators, be sure to review the best practices for secure meetings for hosts.

We recommend using the following features for protection of your meetings:

Even meeting titles can reveal sensitive information. For example, a meeting entitled “Discuss acquisition of Company A” can have financial impacts, if revealed ahead of time. Creating unlisted meetings maintains the security of sensitive information.

For listed meetings, the meeting topic and other information is displayed on your site for authenticated users as well as unauthenticated users and guests to see. Unless your organization has a specific business need to display meeting titles and information publicly, all meetings should be marked as unlisted.

1

From your Webex Administration site, select Configuration > Common Site Settings > Options.

2

Under Security Options in the Cisco Webex section:

  • Go to the Webex Meetings section, and check All meetings must be unlisted.

  • Go to the Webex Events section, and check All events must be unlisted.

  • Go to the Webex Training section, and check All sessions must be unlisted.

3

Select Update.

The most effective step to strengthen the security of all your meetings, events, and training sessions is to require a password. Passwords protect against unauthorized attendance because only users with access to the password are able to join. Following the practice of requiring passwords ensures that all meetings, events, and training sessions that are created by hosts are secured.

We recommend you use a high-complexity, nontrivial password. A recommended password includes a mix of uppercase and lowercase letters, numbers, and special characters (for example, $Tu0psrOx!). By setting your password to require at least 6 characters, 1 numeric character, 1 uppercase and lowercase letter, and 1 special character, such as $, &, or %, you'll greatly increase the security for your meeting.


Adding passwords to your meetings, events, and training sessions does not affect the join experience of authorized attendees. Participants easily join by selecting the URL in the email invitation or from the Webex site.

1

Sign in to Webex Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

In the Cisco Webex section:

  • Go to the Webex Meetings section, and check All meetings must have a password.

  • Go to the Webex events section, and check All events must have a password.

  • Go to the Webex training section, and check All sessions must have a password.

3

To require strong passwords, check Require strong passwords for meetings.

4

Check and configure the following check boxes:

  • Require mixed case

  • Minimum length

  • Minimum number of numeric

  • Minimum number of alpha

  • Minimum number of special characters

  • Do not allow any character to be repeated three times or more

  • Do not allow dynamic web page text for meeting passwords (site name, host's name, username, meeting topic)

  • Do not allow meeting passwords from this list

5

Select Update.

In addition to requiring passwords when users join from a meeting application (for example on Windows or Mac), you should also enforce password requirement on users joining from phone or video conferencing systems. When this option is selected, the system automatically generates an eight-digit numeric password for phone and video conferencing system attendees and adds it to the meeting invitation. This ensures that only people with an invitation can join the meeting when using a phone or video conferencing system.

1

Sign in to Webex Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

In the Cisco Webex section:

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by phone.

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by video conferencing systems.

  • Go to the Webex events section, and check Enforce event password when joining by phone.

  • Go to the Webex training section, and check Enforce training password when joining by phone.


 

If any of these options aren't available, contact Webex support to enable them.

3

Select Update.

We recommend that you require all users to have an account on your Webex site if sensitive meetings, events, or training sessions are hosted there. When enabled, besides hosts, attendees are also asked for their credentials when they attempt to join a meeting, event, or training session.

In addition to requiring sign-in to your site, we recommend that you require attendees to sign-in when dialing in from a phone. This prevents anyone getting into the meeting or training session without proper credentials.


Participants who join using the Webex Meetings or Webex Training application have to authenticate, so they will not be asked for authentication when connecting to audio. Thus, this restriction impacts users who join only by phone.

Also, consider restricting video conferencing systems from dialing into a meeting that requires attendees to sign in. Since users cannot sign in from a video conferencing system, allowing video conferencing systems to join puts meetings at risk of being joined by an unauthorized user.

Keep in mind, that using this option limits your meeting, event, or session to internal attendees. This is an excellent way to keep your meetings secure, but can be limiting if the host needs to have an external guest.

1

Sign in to Webex Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

To require that all users must have an account on your Webex site to host or attend Webex meetings, events, or training sessions, go to the Cisco Webex section and check Require login before site access (Webex Meetings, Webex Events, Webex Training).

3

To require sign in when joining a meeting or training session by phone:

  • Under the Webex Meetings section, check Require users to have an account when joining by phone.

  • Under the Webex Training section, check Require users to have an account when joining by phone.

When checked and the host requires sign-in, attendees must sign in from their phones. Attendees must have added a phone number and PIN to their profile settings to do so.

4

Select Update.

For all meetings, do not enable the ability for attendees to join before the host unless you fully understand the security impact and require this functionality.

Consider disabling the join before host options for your site. We recommend disabling these options for listed meetings; as external attendees could leverage the scheduled meeting for their own purposes, without the host’s knowledge or consent.

Similarly, if you allow attendees to join before host, consider not allowing them to join audio before host. If your meeting is listed on your site or is not password-protected, unauthorized users could potentially gain access and initiate expensive calls without the host's knowledge or consent.

For Personal Conference Meetings (PCN Meetings), we recommend disabling the join audio before host option. A host would then first have to dial the Webex Access number for the audio bridge, and then enter the host access code and host PIN, before attendees could join the meeting.

1

Sign in to Webex Site Administration, and navigate to Configuration > Common Site Settings > Options > Security Options.

2

To prevent attendees from joining before the host, uncheck the following boxes:

  • Allow attendees or panelists to join before host (Meetings, Training and Events)

  • The first attendee to join will be the presenter (Meetings)

  • Allow attendees to join the audio conference (Meetings)

  • Allow attendees or panelists to join the audio conference (Training)

  • Allow attendees or panelists to join the audio conference (Events)

  • Allow attendee to join the audio portion of Personal Conference before host

3

Select Update.

We recommend you enforce automatic locking of Personal Rooms after a designated time. When a meeting is started in a Personal Room, the host can accept the default time you set at the site level, or change how many minutes after a meeting starts that they want the Personal Room to lock, including zero minutes.

1

Sign in to Webex Site Administration, and navigate to Configuration > Common Site Settings > Options.

2

In the Site Options section, check Automatically lock Personal Rooms [x] minutes after meeting starts.

3

Set the number of minutes after the meeting starts that the Personal Room is locked.

4

Select Update.

We recommend, as a minimum, that you allow attendees who have signed in to enter an unlocked Personal Room, but require unauthenticated attendees to wait in the lobby of the unlocked Personal Room until the host manually admits them.

With this option, in a locked room the host sees a list of attendees waiting in the lobby that indicates who has signed in and who has not. In an unlocked room, the list of attendees waiting in the lobby shows only people who have not signed in, because people who have signed in are admitted automatically. In both cases, the host can review the list and choose who to allow into the Personal Room meeting.

1

Sign in to Webex Site Administration, and navigate to Configuration > Common Site Settings > Options.

2

In the Site Options section, scroll to Personal Room Security to view the following options:

  • Anyone can enter an unlocked room

    This option is not recommended. Anyone who has the join URL can enter Personal Rooms without any authentication.

  • Signed-in attendees can enter an unlocked room, but unauthenticated attendees must wait in the lobby until the host manually admits them

    This is the minimum recommended level of security. It provides the host a list of users who are unauthenticated, and allows the host to allow individual users who are legitimate attendees, while preventing those who aren't.

    If you choose this option, you can specify the value for the Exception: Allow unauthenticated attendees to enter an unlocked room if they signed in within the last <number 1 to 15> weeks option.

  • No one can enter a room or lobby without signing in

    The highest level of security for unauthenticated users.

3

Select Update.

To manage policy settings for all users on your site, the following features are also available in Webex Site Administration. Find these features at: Configuration > Common Site Settings > Options > Security Options.


The options marked with an asterisk (*) are only available to sites managed in Webex Site Administration that do not have single sign-on enabled.

Account Management

  • *Lock out an account after a configurable number of failed login attempts

  • Deactivate an account after a configurable number of inactive days

Account Signup

  • *Add a security check in the signup form which requires new users to type the letters or digits of a distorted image that appears on the screen

  • *Require email confirmation of new accounts

Password management

  • Require specific rules for password format, length, and reuse

  • Create a list of prohibited passwords (for example, “password”)

Password aging

  • *Force users to change password at regular intervals

  • Set a minimum time interval when users can change their password