Webex Hardening Guide
Enterprise collaboration hardening for Cisco Webex including meeting security, SSO configuration, and admin controls
Overview
Cisco Webex is a leading enterprise collaboration platform providing video conferencing, messaging, and calling for millions of users worldwide. As a critical communication tool handling sensitive business discussions and data, Webex security configurations directly impact confidentiality and compliance with data protection requirements.
Intended Audience
- Security engineers managing collaboration platforms
- IT administrators configuring Webex
- GRC professionals assessing communication security
- Meeting administrators managing site settings
How to Use This Guide
- L1 (Baseline): Essential controls for all organizations
- L2 (Hardened): Enhanced controls for security-sensitive environments
- L3 (Maximum Security): Strictest controls for regulated industries
Scope
This guide covers Webex Control Hub and Site Administration security including meeting security, SSO, user management, and data protection.
Table of Contents
- Authentication & SSO
- Meeting Security
- Admin & Site Security
- Data Protection
- Compliance Quick Reference
1. Authentication & SSO
1.1 Configure SAML Single Sign-On
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3, 12.5 |
| NIST 800-53 | IA-2, IA-8 |
Description
Configure SAML SSO to centralize authentication for Webex applications.
ClickOps Implementation
Step 1: Access SSO Settings
- Navigate to: Control Hub → Management → Organization Settings → Authentication
- Click Modify for SSO configuration
Step 2: Configure SAML
- Select Integrate a 3rd-party identity provider
- Download Webex metadata
- Configure IdP with Webex metadata
- Upload IdP metadata to Webex
Step 3: Configure IdP Application
- Create SAML application in your IdP
- Webex supports SAML 2.0 and OAuth 2.0
- Configure attribute mappings
- Assign users/groups
Step 4: Test and Enable
- Test SSO authentication
- Verify user provisioning works
- Enable SSO enforcement
Time to Complete: ~1 hour
1.2 Enforce Multi-Factor Authentication
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.5 |
| NIST 800-53 | IA-2(1) |
Description
Require MFA for all Webex users.
ClickOps Implementation
Step 1: Enable Organization MFA
- Navigate to: Control Hub → Management → Organization Settings
- Scroll to Authentication section
- Enable Require multi-factor authentication
- This makes MFA mandatory for all users
Step 2: Configure via IdP (Recommended)
- Enable MFA in your identity provider
- All SSO users subject to IdP MFA policies
- Use phishing-resistant methods for admins
1.3 Configure User Provisioning
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 5.3 |
| NIST 800-53 | AC-2 |
Description
Configure automatic user provisioning and deprovisioning.
ClickOps Implementation
Step 1: Configure SCIM Provisioning
- Navigate to: Control Hub → Users → Directory Sync
- Configure directory sync:
- Okta
- Azure Active Directory
- Other SCIM providers
Step 2: Configure Synchronization
- Map user attributes
- Configure group synchronization
- Enable automatic deprovisioning
Step 3: Test Provisioning
- Create test user in IdP
- Verify user appears in Webex
- Test deprovisioning
2. Meeting Security
2.1 Configure Meeting Passwords
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 6.3 |
| NIST 800-53 | IA-2 |
Description
Require passwords for all Webex meetings.
Rationale
Why This Matters:
- Prevents unauthorized meeting access
- Protects against meeting bombing
- Required for compliance
ClickOps Implementation
Step 1: Configure Site Password Settings
- Navigate to: Control Hub → Services → Meeting → Sites
- Select your site → Configure Site
- Navigate to Common Settings → Security
Step 2: Enable Password Requirements
- Enable Require meeting password
- Configure password complexity
- Enable Require password when joining by phone
Step 3: Apply to All Meeting Types
- Apply to scheduled meetings
- Apply to Personal Room meetings
- Apply to PMR meetings
2.2 Configure Meeting Lock and Lobby
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 13.5 |
| NIST 800-53 | AC-3 |
Description
Configure automatic meeting lock and lobby controls.
ClickOps Implementation
Step 1: Configure Auto-Lock
- Navigate to: Site Settings → Security
- Configure Automatically lock meetings:
- Lock after: 5 minutes (recommended)
- Options: 0, 5, 10, 15, or 20 minutes
Step 2: Configure Lobby Behavior
- Configure When meeting is locked:
- Everyone waits in lobby (recommended)
- Or No one can join
- Configure host notification
Step 3: Configure Guest Access
- Control unauthenticated guest access
- Require sign-in for external participants
- Configure lobby hold time
2.3 Require Authentication for Meetings
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 6.3 |
| NIST 800-53 | IA-2 |
Description
Require users to sign in before joining meetings.
ClickOps Implementation
Step 1: Enable Sign-In Requirement
- Navigate to: Site Settings → Security
- Enable Require sign-in when joining meetings
- This prompts all participants for credentials
Step 2: Configure Host Requirements
- Require hosts to be signed in
- Require attendees to be signed in (L3)
- Allow exceptions for external guests if needed
2.4 Configure Content Sharing Controls
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.3 |
| NIST 800-53 | AC-3 |
Description
Control what content can be shared in meetings.
ClickOps Implementation
Step 1: Configure Sharing Permissions
- Navigate to: Site Settings → Common Settings
- Configure sharing options:
- Screen sharing permissions
- Application sharing
- File transfer capabilities
Step 2: Configure Host Controls
- Allow hosts to disable participant sharing
- Configure annotation permissions
- Set default sharing preferences
3. Admin & Site Security
3.1 Limit Administrator Access
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 5.4 |
| NIST 800-53 | AC-6 |
Description
Minimize administrator accounts to reduce risk.
Rationale
Why This Matters:
- Cisco recommends keeping administrators to minimum
- Fewer admins means fewer opportunities for errors
- Reduces blast radius of compromised accounts
ClickOps Implementation
Step 1: Review Administrators
- Navigate to: Control Hub → Users → Filter by admin roles
- Review all administrator accounts
- Identify unnecessary admin access
Step 2: Implement Role-Based Access
- Use granular admin roles:
- Full Administrator
- Site Administrator
- User Administrator
- Read-only Administrator
- Assign minimum required role
Step 3: Regular Access Reviews
- Quarterly review of admin access
- Remove departed employees
- Document business justification
3.2 Configure Enterprise Mobility Management
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 13.7 |
| NIST 800-53 | AC-19 |
Description
Configure EMM for mobile device security.
ClickOps Implementation
Step 1: Enable EMM Integration
- Navigate to: Control Hub → Organization Settings → Device Management
- Configure EMM/MDM integration:
- Microsoft Intune
- VMware Workspace ONE
- Other AppConfig providers
Step 2: Configure App Protection
- Prevent copy/paste from Webex app
- Prevent screenshots
- Control file sharing destinations
3.3 Configure Audit Tracking
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 8.2 |
| NIST 800-53 | AU-2 |
Description
Enable and monitor administrative audit logs.
ClickOps Implementation
Step 1: Access Audit Logs
- Navigate to: Control Hub → Management → Troubleshooting → Audit
- Review admin actions
- Filter by user, date, or action
Step 2: Export Logs
- Export logs for SIEM integration
- Configure REST API access for automation
- Set up regular exports
Key Events to Monitor:
- Admin login events
- Configuration changes
- User provisioning/deprovisioning
- Security setting modifications
4. Data Protection
4.1 Configure Encryption Settings
Profile Level: L1 (Baseline)
| Framework | Control |
|---|---|
| CIS Controls | 3.11 |
| NIST 800-53 | SC-8, SC-28 |
Description
Verify and configure encryption for data protection.
Webex Encryption Features
- End-to-End Encryption (E2E): Messages encrypted before reaching servers
- TLS 1.2+: All data in transit encrypted
- Zero-Trust Architecture: Standards-based encryption
ClickOps Implementation
Step 1: Enable E2E Encryption
- Navigate to: Control Hub → Services → Messaging
- Enable end-to-end encryption where available
- Configure for sensitive spaces
Step 2: Configure Meeting Encryption
- Enable end-to-end encryption for meetings
- Note: Some features may be limited with E2E
4.2 Configure Data Loss Prevention
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.1 |
| NIST 800-53 | AC-3 |
Description
Configure DLP controls for data protection.
Rationale
Why This Matters:
- Webex offers awareness of data loss risks
- Presence of external participants shown
- Integration with third-party DLP tools
ClickOps Implementation
Step 1: Configure External Participant Indicators
- Enable external participant indicators
- Users see when external participants join
- Visual cues for sensitive discussions
Step 2: Configure DLP Integration
- Navigate to: Control Hub → Apps → Compliance
- Configure third-party DLP integration
- Monitor for policy violations
Step 3: Configure Retention
- Set message retention policies
- Configure eDiscovery access
- Enable legal holds
4.3 Configure Pro Pack Features
Profile Level: L2 (Hardened)
| Framework | Control |
|---|---|
| CIS Controls | 3.1 |
| NIST 800-53 | AC-3 |
Description
Configure Pro Pack for advanced security controls.
Prerequisites
- Webex Pro Pack license
ClickOps Implementation
Step 1: Configure File Sharing Controls
- Navigate to: Control Hub → Organization Settings
- Configure file sharing restrictions
- Control sharing destinations
Step 2: Configure Advanced Compliance
- Enable eDiscovery
- Configure extended retention
- Enable compliance exports
5. Compliance Quick Reference
SOC 2 Trust Services Criteria Mapping
| Control ID | Webex Control | Guide Section |
|---|---|---|
| CC6.1 | SSO/MFA | 1.1 |
| CC6.2 | Admin controls | 3.1 |
| CC6.6 | Meeting security | 2.1 |
| CC6.7 | Encryption | 4.1 |
| CC7.2 | Audit logging | 3.3 |
NIST 800-53 Rev 5 Mapping
| Control | Webex Control | Guide Section |
|---|---|---|
| IA-2 | SSO | 1.1 |
| IA-2(1) | MFA | 1.2 |
| AC-3 | Meeting controls | 2.2 |
| SC-8 | Encryption | 4.1 |
| AU-2 | Audit logging | 3.3 |
Appendix A: References
Official Cisco Documentation:
- Cisco Trust Portal
- Webex Trusted Platform
- Webex Help Center
- Webex Compliance and Certifications
- Best Practices for Secure Meetings: Site Administration
- Best Practices for Secure Meetings: Control Hub
- Webex Security White Paper
- Webex Hardening Guide
API Documentation:
Compliance Frameworks:
- SOC 2 Type II, SOC 3, ISO 27001:2013, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019, EU Cloud Code of Conduct (Level 3) – via Cisco Trust Portal
Security Incidents:
- May 2024 – German Government Meeting Metadata Exposure: An IDOR vulnerability in Cisco Webex allowed threat actors to access meeting metadata (topics, hosts, dates) by incrementing meeting URL numbers. Sensitive meetings of German government officials and European defense/tech companies were exposed. Meeting passwords and participant lists were not accessible. The flaw was fully patched by May 28, 2024.
- March 2024 – German Military Meeting Eavesdropping: Russia-linked actors intercepted a German military Webex meeting discussing Ukraine support, attributed to participants joining via unsecured phone lines rather than a Webex platform vulnerability.
Changelog
| Date | Version | Maturity | Changes | Author |
|---|---|---|---|---|
| 2025-02-05 | 0.1.0 | draft | Initial guide with SSO, meeting security, and data protection | Claude Code (Opus 4.5) |
Contributing
Found an issue or want to improve this guide?
- Report outdated information: Open an issue with tag
content-outdated - Propose new controls: Open an issue with tag
new-control - Submit improvements: See Contributing Guide