Overview of Webex security

The Webex Meetings Suite helps enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Webex. Webex helps to simplify business processes and improve results for sales, marketing, training, project management, and support teams.

For all organizations and their users, security is a fundamental concern. Online collaboration must provide multiple levels of security, from scheduling meetings to authenticating participants to sharing content.

Webex provides a secure environment that you can configure as an open place to collaborate. Understanding the security features as site administrators and end users can allow you to tailor your Webex site to your business needs.

For additional information, see the Webex security technical paper.

Best practices for hosts

As a host, you’re the final decision maker concerning the security settings of your meetings, events, webinars, and training sessions. You control nearly every aspect of the meeting, event, webinar, or training session, including when it begins and ends.

Keep your meetings and information secure. Know and follow the security policies for your organization. Follow security best practices when you schedule a meeting, during a meeting, and after a meeting.


 

Use Meeting Lobby and Auto Lock controls when available.

Don’t publish passwords to publicly accessible websites.

Don’t share your Audio PIN with anyone.

Provide meeting passwords only to users who need them.

Never share sensitive information in your meeting until you’re certain who is in attendance.

Webex Meetings Personal Rooms are a form of Webex meeting that are continuously available to the meeting host. The meeting host activates their personal room when they join and deactivates the meeting room when they leave. Webex Meetings Personal Rooms are intended to provide a quick and convenient way for trusted participants to meet, and therefore have a limited set of configurable security features. If meeting security is your primary concern, we recommend using scheduled Webex meetings which have a comprehensive set of configurable security features.

Meeting Room Lobby

The lobby is enabled by default for all Webex Personal Room meetings. With this default setting, when you start your personal meeting room, and the meeting is unlocked, all guest users will be placed into the lobby, until you (the host) admit them.

A guest user is defined as follows:

  • Not signed in (identity is not authenticated)

  • Signed in, but belongs to an external organization

With the default setting “Guests can wait in the lobby until the host admits them”, when the meeting is unlocked, users in your organization who have signed in with a Webex account using a host or attendee license bypass the lobby and join the meeting directly.

The Webex site administrator can change the lobby setting for all personal rooms in your organization from Guests wait in the lobby until the host admits them to one of the following:

  • Guests can join directly - Disables the lobby for all personal rooms in your organization, allowing any user to directly join your personal room meeting, if the meeting is unlocked. Webex strongly discourage disabling the lobby, as doing so makes your meeting vulnerable to unwanted attendees joining your meeting and meeting toll fraud.

  • Guests can't join - All attendees must have a user account on your site and be signed in to attend the meeting. This setting makes personal room meetings internal only, which means they are available only to users in your organization.

When users are placed into the lobby of your personal room, they are categorized into three groups to simplify your user screening and meeting admission choices:

  • Internal users (authenticated users in your organization)

  • External users (authenticated users in external organizations)

  • Unverified users (users who have not signed in and are not authenticated)

Internal and external authenticated users have signed in and verified their identity. The identity of unverified users (users who have not signed in) can't be assumed to be true because they were not authenticated.

Users can be admitted to the meeting, or removed from the lobby individually or as a group.

Webex Meeting Lobby controls

For more information on lobby controls see Know who you're letting into your Webex meeting.

Auto lock Personal Room

Locking your Webex personal meeting room affects the meeting entry behaviour for all users. By default, when the meeting is locked, everyone must wait in the lobby until the host admits them.

A more restrictive setting may also be configured by your site administrator for all Personal Rooms in your organization. With this more restrictive setting, no one can join the meeting when the meeting is locked.

As the meeting host, you can always lock and unlock your meeting while it is in progress, using in-meeting controls.

You can set your Personal Room to lock automatically by selecting Preferences > My Personal Room on your personal Webex user webpage .

By default, your Personal Room is set to lock at 5 minutes. We recommend you keep this setting so that your Personal Room is locked shortly after you start your meeting.

This setting locks your room and prevents attendees from joining the meeting automatically. With this setting, you will see a notification when attendees are waiting in the lobby. You can screen users in the lobby and allow only authorized attendees into your meeting.

Your site administrator can lock the auto-lock setting and set the auto-lock time period for your personal room so that you cannot change it. This administrative capability sets the default auto-lock value for your personal room, but you always have the ability to unlock and re-lock your meeting while it is in progress.


 

Consider your Personal Room URL as a public URL, anyone who knows this URL can wait for you in your lobby. Always check user names before you admit them as an attendee into your room.

Personal Room notifications before a meeting

When users enter your Personal Room lobby, they can send you an email notification letting you know that they are waiting for a meeting to begin. Even unauthorized users that gain access to your Personal Room lobby can send notifications.

We recommend that you review your email notifications before starting a meeting to screen unauthorized attendees.

If you’re seeing too many email notifications from unauthorized attendees, consider turning off these notifications. Go to your personal Webex user webpage to Preferences > My Personal Room, and uncheck Notify me by email when someone enters my Personal Room lobby while I am away.

Personal Room notifications during a meeting

If you lock your Personal Room, you can screen anyone waiting in your lobby. During a locked meeting, notifications will alert you when someone new enters the lobby; you can choose whether to admit them. When multiple attendees wait in your Personal Room lobby, you can choose to admit select individuals, or to admit all waiting attendees to the meeting.

For more information on your Personal Room notifications, see Let someone into your Webex Meeting.

Scheduled Meetings

Scheduled Webex meetings are our recommended meeting type when security is important to you, or your organization. Scheduled meetings are one-time meetings that are password protected and have wide range of security features, in meeting feature controls and attendee controls. See below for steps on how to secure your scheduled meetings.

Make scheduled meeting unlisted

To enhance meeting security settings, hosts can opt not to list their meeting on the public meeting calendar on the Webex site webpage for your organization.

  1. Go to your personal Webex user webpage and from the Schedule page, select Advanced options.

  2. Uncheck the check box next to Listed on public calendar.

    This setting helps prevent unauthorized access and hides meeting information, such as the host, topic, and starting time.

  3. Choose the level of security based on the meeting purpose. For example, if you schedule a meeting to discuss your company picnic, you can set only a password for the meeting. If you plan to discuss sensitive information, such as financial data, you may not want to list the meeting on the meeting calendar. You may also choose to restrict access to the meeting after all attendees have joined, by locking your meeting.

  • Unlisted meetings don't appear in the public meeting calendar on the Webex site web page for your organization

  • Unlisted meetings don't appear in the meeting calendar on the Search Meetings page or on your Calendar page.

  • To join an unlisted meeting, attendees must provide a unique meeting number.

  • Unlisted meetings require the host to inform the meeting attendees. Hosts can send a link in an email invitation, or they can enter the meeting number using the Join Meetings page.


 

Listing a meeting reveals meeting titles and meeting information publicly. If a meeting isn’t password-protected, anyone can join it.

Choose the meeting topic carefully

A listed meeting or a forwarded invitation email could, at a minimum, reveal the meeting titles to unintended audiences. Meeting titles can unintentionally reveal private information. To minimize exposure of sensitive data, such as company names or events, carefully word meeting titles.

Exclude the meeting password from the invitations

For highly sensitive meetings, webinars, events, or training sessions, exclude the password from the invitation email. This measure prevents unauthorized access to meeting details if the invitation email message is forwarded to an unintended recipient.

If you check Exclude password from email invitation when you schedule a meeting, webinar, event, or training session, the password doesn't appear in the invitation. Provide the password to attendees by another means, such as by phone.


 

Webex Webinars doesn't support this feature.

Scheduled Meeting Room Lobby

The lobby is enabled by default for all Webex scheduled meetings. With this default setting, when the scheduled meeting starts, and the meeting is unlocked, all guest users are placed into the lobby, until you (the host) admit them.

A guest user is defined as follows:

  • Not signed in (identity is not authenticated)

  • Signed in, but belongs to an external organization

With the default setting “Guests can wait in the lobby until the host admits them”, when the meeting is unlocked, users in your organization who have signed in with a Webex account using a host or attendee license bypass the lobby and join the meeting directly.

When you schedule a meeting on your personal Webex user web page, you can change the default lobby setting from Guests wait in the lobby until the host admits them to one of the following:

  • Guests can join directly - Disables the lobby for your scheduled meeting, allowing any user to directly join your meeting, if the meeting is unlocked. Webex strongly discourage disabling the lobby, as doing so makes your meeting vulnerable to unwanted attendees joining your meeting and meeting toll fraud.

  • Guests can't join - All attendees must have a user account on your site and be signed in to attend the meeting. This setting makes scheduled meetings "internal only", which means they are available only to users in your organization.

When users are placed into the lobby of your scheduled meeting, they are categorized into three groups to simplify your user screening and meeting admission choices:

  • Internal users (authenticated users in your organization)

  • External users (authenticated users in external organizations)

  • Unverified users (users who have not signed in and are not authenticated)

Internal and external authenticated users have signed in and verified their identity. The identity of unverified users (users who have not signed in) can't be assumed to be true because they were not authenticated.

Users can be admitted to the meeting, or removed from the lobby individually or as a group.

Auto lock for scheduled meetings

Locking your Webex scheduled meeting affects the meeting entry behaviour for all users. By default, when the meeting is locked, everyone must wait in the lobby until the host admits them.

A more restrictive setting may also be configured by your site administrator for all scheduled meetings hosted by users in your organization. With this more restrictive setting, no one can join the meeting when the meeting is locked.

As the meeting host, you can always lock and unlock your meeting while it is in progress, using in meeting controls.

When you schedule a meeting, you can set the meeting to lock automatically from the controls in the Security section on your personal Webex user webpage.

By default, your scheduled meeting is set to lock at 5 minutes. We recommend you keep this setting so that your scheduled meeting is locked shortly after it starts and prevents attendees from joining the meeting automatically.

With this setting, you will see a notification when attendees are waiting in the lobby. You can screen users in the lobby and allow only authorized attendees into your meeting.

Your site administrator can lock the auto lock setting and set the auto lock time period for your scheduled meetings so that you cannot change them. This administrative capability sets the default auto lock value for your scheduled meeting, but you always have the ability to unlock and re-lock your meeting while it is in progress.

Require invitees to register for your meeting, event, or training session

You can require your invitees to register for your meeting, webinar, event, or training session before they join. This lets you secure meeting information and track and gather information on the invitees who plan to attend your meeting, event, or training session.

This feature is enabled during scheduling. To enable this setting in Webex Meetings and Webex Webinars, go to Advanced options, and under Registration select Require attendee registration.

Use entry or exit tone or announce name feature

Using this feature prevents someone from joining the audio portion of your meeting without your knowledge. This feature is enabled by default for Webex Meetings and Webex Training. You can go to Preferences > Audio and Video, and in the Entry and exit tone section, select a tone option from the drop-down list.

While scheduling your meeting, webinar, event, or training session, go to Audio connection options, and in the Entry and exit tone section, select a tone option from the drop-down list.


 

When using the Webex audio option, if you select the announce name feature, attendees joining using the Use computer for audio option don't get the option to record and announce their name.

Restrict available features

Limit the available features, such as chat and audio, if you allow attendees to join the meeting, webinar, event, or training session before the host.

Request that invitees not forward invitations

Request that your invitees do not forward the invitation further, especially for confidential meetings.

Assign a cohost or an alternate host

Assign a cohost to start and control the meeting, webinar, event, or training session (alternate host). This practice keeps meetings, webinars, events, and training sessions more secure by eliminating the possibility that the host role is assigned to an unexpected, or unauthorized, attendee, in case you inadvertently lose your connection to the meeting.


 

When inviting attendees to a scheduled meeting, you can designate one or more attendees as cohosts for the meeting. A cohost can start the meeting and act as the host. Thus, a cohost must have a user account on your Webex Meetings website.

Restrict access to the meeting

Lock the meeting, webinar, event, or training session after all attendees have joined. This prevents more attendees from joining. Hosts can lock or unlock the meeting, webinar, event, or training session while the session is in progress. To lock a meeting that you're currently hosting, click , then click the slider next to Lock Meeting.


 

This option prevents anyone from automatically joining the meeting, webinar, event, or training session. To unlock a meeting that you're currently hosting, click , then click the slider next to Lock Meeting.

Validate the identity of all users in a call

Accounting for every attendee by using a roll call is a secure practice. Ask users to turn on their video or state their name to confirm their identity.


 

To attend a meeting using a phone, a caller needs a valid Webex dial-in number and the nine- to eleven-digit meeting ID. If permitted on your site, attendees who join by phone without a password can join the audio conference portion of the meeting.

If permitted on your site, attendees without accounts can join the meeting. Unauthorized users could identify themselves with any name in your meeting.

Remove a participant from the meeting

You can expel participants at any time during a meeting. Select the name of the participant whom you want to remove, and then click Participant > Expel.

Share an application, not your screen

When you select Share, you can choose to share an application instead of your screen. Sharing an application rather than your screen helps to prevent accidental exposure of sensitive information.

Control who can share

If allowed at the site level, hosts can choose whether to allow all participants to share. If you don't enable the option, you can assign the presenter role to select participants or attendees.

End the meeting

When the meeting, event, or training session is over, be sure to end it for all participants. A dialog may open to provide you the option to leave the meeting, webinar, event, or training session running without ending it. If you need to leave early, make someone else the host so they can be responsible for ending the meeting, event, or training session.

Assign passwords to recordings

We recommend that you don't create recordings that contain sensitive information.

If you create recordings, you can edit the recordings and add passwords before sharing them to keep the information secure. Password-protected recordings require recipients to have the password in order to view them.

  1. To assign passwords to recordings, go to your personal Webex user webpage to Recordings and click to open the Share Recording Window.

  2. On the Share Recording Window, check the check box next to Public Link.

  3. Check the check box next to Password protection, and then type the password in the text field.

  4. Click Save.

Delete recordings

Delete recordings after they are no longer relevant.

  1. Go to Recordings, then select on the recording.

  2. Click Delete, then click Delete again.

Create a strong Audio PIN and protect it. Sign in to your personal Webex site user webpage, and go to Preferences > Audio and Video to create your Audio PIN.

Your PIN is the last level of protection to prevent unauthorized access to your Personal Conference Meeting (PCN Meeting). Even if an unauthorized person obtained your host access code, the conference can't start without the Audio PIN. Protect your Audio PIN and don’t share it.