Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
Cisco WebEx online solutions help enable global employees and virtual teams
to meet and collaborate in real time as though they were working in the same
room. Businesses, institutions, and government agencies worldwide rely on
Cisco WebEx solutions to simplify business processes and improve results for
sales, marketing, training, project management, and support teams.
Overview of
WebEx privacy
For all of these organizations and their users, privacy is a fundamental
concern. Online collaboration must provide multiple levels of security; from
scheduling meetings to authenticating participants to sharing content.
Cisco WebEx is a very secure environment yet it can be configured as a very
open place to collaborate. Understanding the privacy features as siteadministrators and end-users can allow you to tailor WebEx to your business
needs.
WebEx Site
Administration
Effective privacy begins with WebEx Site Administration; which allows
administrators to manage and enforce privacy policies for host and presenter
privileges. For example, an authorized administrator can customize session
configurations to disable a presenter’s ability to share applications or to
transfer files on a per-site or a per-user basis.
Cisco recommends use of following features for protection of your meetings:
Feature
Benefits
Even meeting titles can reveal sensitive information. For example a meeting
entitled “Discuss acquisition of Company ‘A’” can have financial impacts, if
revealed ahead of time. Creating unlisted meetings maintains the privacy of
sensitive information.
All meetings must be
unlisted
 For listed meetings, the meeting topic and other information is displayed on
your site for authenticated users as well as unauthenticated users and
guests to see. Unless your organization has a specific business need to
display meeting titles and information publicly, all meetings should be
marked as unlisted.
 To enable this setting for all users: From the site administration portal, check
the following box:
Page 1Page 1
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
 The most effective step to strengthen the security of your meeting is to
create a high-complexity, non-trivial password (strong password). A strong
password should include a mix of uppercase and lowercase letters,
numbers and special characters (for example, $Tu0psrOx!). Passwords
protect against unauthorized attendance because only users with access to
the password will be able to join the meeting. Following the practice of
requiring passwords for all meetings ensures all meetings created by hosts
are secured.
 Please note: Use of a strong password will not affect the meeting join
experience of authorized attendees. Participants can easily join a meeting
by clicking on the URL in the meeting invitation through email, via WebEx
mobile application or other channels like Jabber.
Meetings must have
password (strong)
 To enable this setting: In site administration portal, check and configure the
following boxes:
Page 2Page 2
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
 Consider enforcing this option for all hosts. This option is recommended for
listed meetings; as external attendees could leverage the scheduled
meeting for their own purposes, without the host’s knowledge or consent.
Do not allow Join
Before Host
 To enable this setting in site administration, uncheck the boxes shown below
to prevent your users from allowing attendees to join before the host:
To manage policy settings for all users on your site, the following features are also available in WebEx
Site Administration.
Feature
Functionality
 Lock out an account after a configurable number of failed login attempts
 Automatically unlock a locked-out account after a specified time interval
Host Account
Management
 Deactivate accounts after a defined period of inactivity
 Require a user to change password at next login
 Lock or unlock a user account
 Activate or deactivate a user account
 Require security text on new account requests
Account creation
 Require email confirmation of new accounts
 Configure rules for self-registration of new accounts
 Require specific rules for password format, length, and re-use
Account
passwords
 Prohibit easily guessed passwords (for example, “password”)
 Set a minimum time interval before password change
Page 3Page 3
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
Recommended security practices for hosts
As a host, you are the final decision maker concerning the security settings of your meeting. Always
remember that you control nearly every aspect of the meeting, including when it begins and ends.
Follow the security best practices below when scheduling and hosting meetings based on your
business needs for keeping meetings and information secure.
When
scheduling a
meeting…
Schedule unlisted
meetings
Benefit
To enhance meeting privacy settings, hosts can opt not to list the meeting on the
meeting calendar. To do this, remove the check mark from this option to help
prevent unauthorized access to the meeting and hide information about the
meeting, such as its host, topic, and starting time.
 An unlisted meeting does not appear in the meeting calendar on the Browse
Meetings page or on your Personal Meetings page.
 To join an unlisted meeting, attendees must provide a unique meeting number
 Unlisted meetings require the host to inform the meeting attendees, either by
sending a link in an email invitation, or hosts can enter the meeting number
via the Join Meetings page.
 Please Note: Listing a meeting reveals meeting titles and meeting information
publicly. If a meeting is not password protected, anyone can join it.
Tip: Choose a level of security based on the meeting's purpose. For example, if
you schedule a meeting to discuss your company picnic, you probably need to set
only a password for the meeting. On the other hand, if you schedule a meeting in
which you will discuss sensitive financial data, you may not want to list the
meeting on the meeting calendar. You may also choose to restrict access to the
meeting once all attendees have joined it.
Choose the
meeting Topic
carefully

A listed meeting or a forwarded invitation email could, at a minimum, reveal the
meeting titles to unintended audiences. Meeting titles can unintentionally
reveal private information, so ensure that titles are carefully worded to
minimize exposure of sensitive data, such as company names or events.
Page 4Page 4
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
Secure meeting
with complex
password
Exclude Meeting
Password from
invitations
Require attendees
to have an account
on your site
Use entry or exit
tone or announce
name feature
Restrict available
features
Request that
invitations not be
forwarded
 Using complex meeting passwords for every session is the most important step
you can take to protect your meeting. While uncommon, site administrators
may choose to allow the creation of meetings without passwords. Under most
circumstances, protecting all meetings with a strong password is highly
recommended.
 Please Note: Adding passwords to your meetings does not affect the meeting
join experience of authorized attendees. Participants can easily join a meeting
by clicking on the URL in the meeting invitation through email, via the WebEx
mobile application or other channels like Jabber.
 Do not reuse passwords for meetings. Scheduling meetings with the same
passwords weakens meeting protection considerably.
 If you invite attendees to a meeting, the meeting password does not appear in
the email invitations that attendees receive. You must provide the password to
attendees by another means, such as by phone.
 For highly sensitive meetings, exclude the meeting password from the
invitation email. This prevents unauthorized access to meeting details if the
invitation email message is forwarded to an unintended recipient.
 When this setting is enabled, all attendees must have a user account on your
site to attend the meeting. For information about how attendees can obtain a
user account, ask your site administrator.
 Options to enable this setting are shown below:
 Using this feature prevents someone from joining the audio portion of your
meeting without your knowledge
 This feature is enabled by default. To adjust the settings,
Select Participant > Entry and Exit Tone. (Not available for Training Center)

Limit the available features, such as chat and audio, if you allow attendees to
join the meeting before the host.
 Request that your invitees do not forward the invitation further, especially for
confidential meetings.
Page 5Page 5
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
Assign an
alternate host
 Assign an alternate host to start and control the meeting. This keeps meetings
more secure by eliminating the possibility that the host role will be assigned to
an unexpected, or unauthorized, attendee, in case you inadvertently lose your
connection to the meeting.
 Note: When inviting attendees to a scheduled meeting, you can designate one
or more attendees as alternate hosts for the meeting. An alternate host can
start the meeting and act as the host. Thus, an alternate host must have a
user account on your Meeting Center Web site
During the Meeting
 Lock the meeting once all attendees have joined the meeting. This will prevent additional
attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in
progress.
Restrict access to
the meeting
 To lock a meeting, Select Meeting > Restrict Access.
Validate identity of
all users in a call
 Accounting for every attendee via a roll call is a secure practice. Ask users to
turn on their video or state their name to confirm their identity.
 Please Note:
o To attend a meeting via phone, a caller only needs to know a valid
WebEx dial-in number and the nine-digit meeting ID. Meeting
passwords do not prevent attendees from joining from the audio
conference portion of WebEx
o If attendees without an account are allowed to join the meeting,
then unauthorized users can identify themselves with any name in
your meeting.
Remove a
participant from
the meeting
Share Content or
Applications, Not
Desktop

Tip: This option prevents anyone from joining the meeting, including
participants who have been invited to the meeting but have not yet joined it.
To unlock a meeting, select Meeting > Restore Access
 Participants can be expelled at any time during a meeting.
 Select the name of the participant whom you want to remove, then
select Participant >Expel
 Use Share >Application instead of Share >Desktop to share specific
applications and prevent accidental exposure of sensitive information on your
desktop.
After the Meeting
Assign passwords
to recordings
 The best way to prevent unauthorized access to recordings is to not create
recordings.
 If recordings must be created, you can edit meeting recordings and add
Page 6Page 6
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
passwords before sharing them to keep the information secure. Passwordprotected recordings require recipients to have the password in order to view
them
Delete Recordings
 Delete recordings after they are no longer relevant.
WebEx Personal Conferencing (PCN Meetings)
 Do not enable “Join before Host” for PCN for any user unless you fully
understand the security impact and require this functionality. .
Personal
Conferencing
(PCN) in site
administration
 PCN Meetings use two randomly assigned 8-digit access codes for controlling
and accessing a personal conference (a host access code and an attendee
access code). These codes are static and are always available without prior
scheduling. If a PCN meeting is scheduled in advance, the host receives an
invitation with both host & attendee code while invitees receive a separate
invitation which includes (only) the attendee access code.
 With “Join before Host” disabled (recommended), a host must dial the WebEx
Access number for the audio bridge and enter the host access code and host
PIN before attendees can join the meeting.

With “Join before Host” enabled, attendees can join the meeting without the
host being in attendance. Enabling this setting can result in unintended
consequences including misuse of teleconferencing minutes.
 Create a strong Host PIN and protect it.
Personal
Conferencing
security for hosts
Conclusion
User Guides
and Knowledge
Base articles
for enhancing
security and
privacy

Your PIN is the last level of protection for prevention of unauthorized access to
your personal conferencing account. Should a person gain unauthorized
access to the host access code for a PCN meeting, the conference cannot be
started without the host PIN. Protect your host PIN and do not share it.
Taking a few extra steps when configuring site settings and when scheduling and
participating in a WebEx meeting can greatly enhance the meeting’s security and
privacy.
 Cisco WebEx Quick Start Guide
 WebEx Security White Paper
 What Level of Security Should I have for my Scheduled Meeting?
 How Do I Require All Meetings or Training Sessions to be Unlisted for the
Entire Site?
 How Do I Schedule an Unlisted Meeting?
 How Do I Change an Unlisted Meeting to a Listed Meeting?
Page 7Page 7
10/6/2014
Cisco WebEx
Best Practices for Secure Meetings
for Site Administrators and Hosts
Page 8Page 8
10/6/2014