Overview of Webex security

The Webex Meetings Suite helps enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Webex. Webex helps to simplify business processes and improve results for sales, marketing, training, project management, and support teams.

For all organizations and their users, security is a fundamental concern. Online collaboration must provide multiple levels of security, from scheduling meetings to authenticating participants to sharing content.

Webex provides a secure environment that you can configure as an open place to collaborate. Understanding the security features as site administrators and end users can allow you to tailor your Webex site to your business needs.

For additional information, see the Webex security technical paper.

Best practices for Webex administrators

Effective security begins with Webex site administration; which allows administrators to manage and enforce security policies for host and presenter privileges. For example, an authorized administrator can customize session configurations to disable a presenter’s ability to share applications, or to transfer files on a per-site or a per-user basis.

We absolutely recommend that you keep your number of administrators to a minimum. Fewer administrators means fewer opportunities for site setting errors.

After you review the best practices for site administrators, be sure to review the best practices for secure meetings for hosts.

We recommend using the following features for protection of your meetings:

Scheduled Webex Meetings

Scheduled Webex meetings are our recommended meeting type when security is important to you or your organization. Scheduled meetings are one-time meetings that are password protected and have a wide range of security features in meeting feature controls and attendee controls. As an administrator you can control the security features for all scheduled meetings on your Webex site. Hosts can also configure meeting security, meeting options and attendee privileges when they schedule their meeting.

Personal Room Meetings

Webex Meetings Personal Rooms are a form of Webex meeting that are continuously available to the meeting host. The meeting host activates their personal room when they join and deactivates the meeting room when they leave. Webex Meetings Personal Rooms are intended to provide a quick and convenient way for trusted participants to meet, and therefore have a limited set of configurable security features. If meeting security is your primary concern, we recommend using scheduled Webex meetings which have a comprehensive set of configurable security features.

Personal Room Meetings can be enabled or disabled for all users in your Webex site. If enabled for your Webex site, they can be enabled or disabled for individual users.

To enable Personal Room Meetings

1

From the customer view in https://admin.webex.com, go to Services, and under Meeting, select Sites.

2

Choose the Webex site to change the settings for, and click Configure Site.

3

Under Common Settings, select Security.

4

In the Site Options section, check the Enable Personal Room (When enabled, you can turn this on or off for individual users) check box.

5

Select Update.

Locking Webex meetings affects the meeting entry behaviour for all users. By default, all meetings are locked after 5 minutes, and everyone must wait in the lobby until the host admits them.

Separate meeting lock settings are available for scheduled meetings and personal room meetings on your Webex site.

The meeting lock controls allow an administrator to do the following:

  • Automatically lock the meeting 0, 5, 10, 15, or 20 minutes after the meeting starts

  • Configure the meeting entry behaviour when the meeting is locked:

    • Everyone waits in the lobby until the host admits them

    • No one can join the meeting

The default setting when a meeting is locked is Everyone waits in the lobby until the host admits them.

As an administrator, you can force meeting hosts to use the site-wide default meeting lock settings, or allow the host to set the number of minutes after the meeting starts when it gets locked. We recommend you enforce automatic locking of meetings after a set time. Meeting hosts can always use in-meeting controls to lock and unlock their meeting while it is in progress.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

Under the Webex Meeting Security and the Personal Room Security sections, check Automatically lock Personal Rooms after [x] minutes after meeting starts , and choose the number of minutes from the drop-down list.

If you set the number of minutes to 0, your meeting is locked when it starts.

5

(Optional) Click the lock icon beside Automatically lock. If you automatically lock the room, the icon turns red. Hosts can't change the lock settings for their meetings.

6

Select Update.

The lobby is enabled by default for all Webex meetings. With this default setting, when a meeting starts, and the meeting is unlocked, all guest users will be placed into the lobby, until the host admits them.

A guest user is defined as follows:

  • Not signed in (identity is not authenticated)

  • Signed in, but belongs to an external organization

With the default setting “Guests can wait in the lobby until the host admits them”, when the meeting is unlocked, users in your organization who have signed in with a Webex account using a host or attendee license bypass the lobby and join the meeting directly.

The meeting host can see a list of attendees waiting in the lobby. When users are placed into the lobby of a meeting, they are categorized into three groups to simplify user screening and meeting admission choices:

  • Internal users (authenticated users in your organization)

  • External users (authenticated users in external organizations)

  • Unverified users (users who have not signed in and are not authenticated)

Internal and external authenticated users have signed in and verified their identity. The identity of unverified users (users who have not signed in) can't be assumed to be true because they were not authenticated.

Users can be admitted to the meeting, or removed from the lobby individually or as a group.

Webex Meeting Lobby controls

For more information on lobby controls see Know who you're letting into your Webex meeting.

To change the lobby settings for scheduled meetings and personal room meetings

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

In the Webex Meeting Security and the Personal Room Security sections, under When a meeting is unlocked, select one of the following options:

  • Guests can join directly - Disables the lobby for your meetings, allowing any user to directly join your meeting. Webex strongly discourages disabling the lobby, as doing so makes your meeting vulnerable to unwanted attendees joining your meeting and meeting toll fraud.

  • Guests wait in the lobby until the host admits them - (Default setting) This option is the minimum recommended level of security. Authenticated attendees in your organization join the meeting directly, while guests wait in the lobby. Hosts can admit guests who are legitimate attendees, and deny entry to the attendees who aren't.

  • Guests can't join - Only attendees who have a user account on your site and have signed can attend the meeting. This setting makes your meetings “internal only” which means they are available only to users in your organization.

5

Select Update.

We recommend that you enforce password requirement on users joining scheduled meetings from phone or video conferencing systems. The system automatically generates an eight-digit numeric password for phone and video conferencing system attendees and adds it to the meeting invitation. This measure ensures that only people with an invitation can join the meeting when using a phone or video conferencing system.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

In the Webex section:

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by phone. This setting also applies to Webex Webinars.

  • Go to the Webex Meetings section, and check Enforce meeting password when joining by video conferencing systems. This setting also applies to Webex Webinars.

  • Go to the Webex Events section, and check Enforce event password when joining by phone. This setting applies to Events (classic).

  • Go to the Webex Training section, and check Enforce training password when joining by phone.


 

If any of these options aren't available, contact Webex support to enable them.

5

Select Update.

We recommend that you prevent attendees from joining before the host, unless you fully understand the security risk and require this functionality.

Consider disabling the join before host options for your site, particularly for listed meetings. Otherwise, external attendees could leverage scheduled meetings for their own purposes, without the knowledge or consent of the host.

Similarly, if you allow attendees to join before host, consider not allowing them to join audio before host. If your meeting is listed on your site or is not password-protected, unauthorized users could potentially gain access and initiate expensive calls without the host's knowledge or consent.

For Personal Conference Meetings (PCN Meetings), we recommend disabling the join audio before host option. The host must dial the Webex access number for the audio bridge, and then enter the host access code and host PIN, before attendees can join the meeting.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

To prevent attendees from joining before the host, go to the Webex section and uncheck the following boxes:

  • Allow attendees or panelists to join before host (Meetings, Training and Events)

  • The first attendee to join will be the presenter (Meetings)


     

    This setting also applies to Webex Webinars.

  • Allow attendees to join the audio conference (Meetings)


     

    This setting also applies to Webex Webinars.

  • Allow attendees or panelists to join the audio conference (Training)

  • Allow attendees or panelists to join the audio conference (Events)


     

    This setting applies to Events (classic).

  • Allow attendee to join the audio portion of Personal Conference before host

5

Select Update.

In addition to using the meeting lobby and meeting lock features for personal room meetings, you can use CAPTCHA to detect and block attackers using robots and scripts to fraudulently gain access to your personal room meetings. When enabled, CAPTCHA applies to guests joining your personal room meeting.

A guest user is defined as follows:

  • Not signed in (identity is not authenticated)

  • Signed in, but belongs to an external organization

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

In the Personal Room Security section, check the box beside Show CAPTCHA when attendees enter a host's Personal Room.

5

6

Select Update.

Telephony callback fraud can happen when someone joins one of your meetings and uses callback to call suspicious phone numbers from different countries, which cost your organization money. These suspicious phone numbers can come from anywhere in the world; however, we observed that the countries and regions that have a higher percentage of fraud originates from:

  • Belgium

  • Costa Rica

  • Ecuador

  • Egypt

  • Ethiopia

  • France

  • Moldova

  • Niger

  • Panama

  • Philippines

  • Portugal

  • Saudi Arabia

  • South Africa

  • Sri Lanka

  • Taiwan

  • Turkey

  • Ukraine

  • United Arab Emirates

  • United Kingdom

  • Vietnam

If there are countries you don’t do business with, or if you want to prevent fraudulent or suspicious calls to your meetings from certain countries or regions, you can uncheck them from the Webex Allowed Callback Countries list.

1

From the customer view in https://admin.webex.com, under Services, select Meetings.

2

Select the site that you want to change the settings for, and choose Configure Site.

3

Select Common Settings > Audio Settings

4

In the Webex Allowed Callback Countries section, check or uncheck the check box next to a country or region to enable or disable it.


 

You must leave at least one country or region enabled for callback.

5

When you're done making changes, click Save.

Your changes can take up to 30 minutes to update in the app.

Even meeting titles can reveal sensitive information. For example, a meeting entitled “Discuss acquisition of Company A” can have financial impacts, if revealed ahead of time. Creating unlisted meetings maintains the security of sensitive information.

For listed meetings, the meeting topic and other details appear on your Webex site for authenticated users, as well as unauthenticated users and guests to see. We recommend that you mark all meetings as unlisted, unless your organization has a specific business need to display meeting titles and information publicly.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

Under Security Options in the Webex section:

  • Go to the Webex Meetings section, and check All meetings must be unlisted. This setting also applies to Webex Webinars.

  • Go to the Webex Events section, and check All events must be unlisted. This setting applies to Events (classic).

  • Go to the Webex Training section, and check All sessions must be unlisted.

5

Select Update.

If your organization works with sensitive information, we recommend that you require all users to have an account on your Webex site. When enabled, Webex prompts all hosts and attendees for their credentials when they join a meeting, event, or training session.

In addition, we recommend that you require attendees to sign in when dialing in from a phone. This requirement prevents anyone getting into the meeting or training session without proper credentials.


 

Participants who join using the Webex application must authenticate, so Webex doesn't prompt them to authenticate when they connect to audio. Thus, this restriction impacts users who join only by phone.

Also, consider restricting video conferencing systems from dialing into a meeting that requires attendees to sign in. For more information, see Scheduled meetings: Enforce meeting password when joining from phone or video conferencing systems.

Keep in mind, that using this option limits your meeting, event, or session to internal attendees (users with an account on your Webex site). This option is an excellent way to keep your meetings secure, but can be limiting if the host needs to have an external guest.

1

From the customer view in https://admin.webex.com, select Services, go to Meeting, and choose Sites.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

In the Webex section, check Require login before site access (Webex Meetings, Webex Events, Webex Training).

5

To require sign-in, when joining a meeting or training session by phone, check the following boxes:

  • Under the Webex Meetings section, check Require users to have an account when joining by phone.

  • Under the Webex Training section, check Require users to have an account when joining by phone.

When checked and the host requires sign-in, attendees must sign in from their phones. Attendees must have added a phone number and PIN to their profile settings to do so.

6

Select Update.

Hiding the links within meetings deters attendees from inviting unwanted guests by making the links less convenient to copy and share. It doesn’t prevent attendees from copying and sharing meeting links from their email invitations.

1

From the customer view in https://admin.webex.com/, go to Services, and select Meeting.

2

Select the Webex site to change the settings for, and select Configure Site.

3

Under Common Settings, select Site Options.

4

Scroll down to Other and check Hide meeting link from attendee view within meetings (Meetings and Events).

This option is unchecked by default.


 
When hidden, the Copy Meeting Link option appears dimmed for attendees in the Meeting Info window, the More Options menu, and the Meeting menu. Hosts can still share meeting links within meetings.

For MacOS, the use of third-party virtual cameras is enabled by default for all users in your organization. Third-party virtual cameras require Webex to load their libraries to give them access to the camera. Libraries loaded by the Webex process inherit all meeting permissions, such as microphone and screen capture, that your users grant Webex. If you disable the use of third-party virtual cameras for your organization, only Webex can access these permissions.

To increase meeting security for your entire organization, turn off third-party virtual camera selection for macOS. If you want to disable virtual cameras for certain sites, see Enable or Disable Virtual Cameras in Webex Meetings.

General User Account security settings are managed in Control Hub under Organization Settings > Authentication. Use these controls to do the following:

  • Enable Single Sign-On for your organization

  • Enable External Social Sign-in (such as Facebook or Google)

  • Enable Multi-Factor Authentication

  • Set Password policies (password length, complexity, etc.)

The following Webex site-specific security features are available via Webex Control Hub. Find these features at: Configure Site > Common Settings > Security > Security Options.

Account Management

  • Deactivate an account after a configurable number of inactive days.

Require strong passwords for meetings (Include registration and panelist passwords)

  • Require specific rules for password format, length, and reuse.

  • Create a list of prohibited passwords (for example, “password”).