Microsoft Office Live 2007 R2. Guide. Published: August 2008

Transcription

1 Microsoft Office Live 2007 R2 Meeting Service Security Guide Published: August 2008

2 Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the companies, organizations, products, domain names, addresses, logos, people, places, and events depicted in examples herein are fictitious. No association with any real company, organization, product, domain name, address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property Microsoft Corporation. All rights reserved. Microsoft, MSN, Outlook, PowerPoint, Visio, and Windows are trademarks of the Microsoft group of companies. Microsoft, MSN, Outlook, PowerPoint, Visio, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All other trademarks are property of their respective owners.

3 Contents Contents... 3 Introduction... 1 About This Guide... 1 Part I: Office Live Meeting Security... 2 Access Security... 3 Meeting Ownership... 3 Access Control... 3 Participation Control... 4 Content Control... 4 Schedule Privacy... 4 Attendance Tracking... 4 Content Storage Security... 5 Persistent Content... 5 High Performance... 5 Software Security... 5 Hosting Infrastructure Security... 6 Physical Security... 6 Dedicated and Certified Security Personnel... 6 Third Party Certifications... 6 Data Transmission Security... 6 Encryption... 7 Firewall Policy and Auto Sensing Technology... 7 Part II: Security Features for Conference Center Administrators Corporate Software Installation Policies Web-Based Client Managing Memberships Creating a Membership Restricting Memberships Enforcing Password and Meeting Key Policies Live Meeting Policies Conference Center Account Policies Conference Center Account Preferences User Role Policies Individual Member Privileges Part III: Security Features for Meeting Organizers and Attendees Scheduling a Meeting Access Control List (ACL) Sending Invitations Meeting Lobby Conducting a Meeting... 23

4 Verifying Meeting Attendance Controlling Meeting Content Managing Post-Meeting and Recording Content... 26

5 Introduction The Microsoft Office Live Meeting service provides a central access point for all meeting participants. Regardless of whether they are at the office, on the road, or at home, participants can connect to a Live Meeting session hosted on the Internet. This flexibility, however, is accompanied by some unique security challenges. Some meetings contain confidential material and therefore require special attention with regard to who can access the meeting and how to safeguard the meeting content. The Office Live Meeting service, from meeting access to data storage and transmission, was designed in an environment of security awareness, and built-in security features allow conference center administrators, meeting organizers, and meeting attendees to extend security. This document provides an overview of the security issues that you should consider when you use the Live Meeting service, the Live Meeting security measures available to you, and the procedures for scheduling and conducting secure meetings. About This Guide This guide discusses security for the Office Live Meeting service from different perspectives, from the security considerations that are built into the service to help secure critical data, to the features and best practices for managing attendance and conducting meetings. It is divided into three parts: Part I is written for the technical decision maker who is responsible for ensuring that the product meets the organization s security requirements. It discusses the security considerations that were designed into Office Live Meeting and the various controls that are available to the organization. Part II is written for the administrator of the organization s Office Live Meeting conference center. It helps administrators configure Office Live Meeting in a secure manner by providing information about restricting memberships, enforcing passwords and meeting keys, and setting policies. Part III is written for meeting organizers and attendees. It provides tips and best practices for scheduling and conducting secure meetings.

6 2 Microsoft Office Live Meeting Service Security Guide Part I: Office Live Meeting Security Microsoft s commitment to providing more secure computing environments includes a comprehensive approach to building and delivering products with high security in mind, and helping customers configure and deploy them in a continued state of high reliability. The Trustworthy Computing initiative, described in detail on the Microsoft Trustworthy Computing Web site at provides the policies and assurances that form the foundation for this security mindset. Trustworthy Computing is necessary to provide an environment that allows the user to feel confident that critical business needs are met without compromising information that must be protected. The Trustworthy Computing initiative defines four goals that all Microsoft products must meet: Security. Microsoft products are designed to withstand attack by malicious people or programs, while protecting the confidentiality and consistency of the data that the products originate or consume. Privacy. Microsoft products enable customers to better maintain control over their personal information, while being able to ensure and verify that internal information auditing policies can be implemented with accuracy. Reliability. Microsoft products are designed to offer robust, reliable, and trouble-free communications and computing services. Business Integrity. Microsoft will provide responsible, conscientious support for its products, remaining aware of the customer relationship. Microsoft will behave in a responsive manner to the needs of its customers. To ensure that the Trustworthy Computing initiative meets these goals, products are designed under four guiding principles, sometimes referred to as SD3+C: Secure by design. Products are designed in an environment of security awareness, with a focus on security features built into the product, and undergo rigorous security testing during development. Secure by default. Areas of product functionality will not be enabled by default unless an administrator chooses to implement them. Services that do not need to be running will not run unless required and administrative functions will require proper credentials. Secure in deployment. Microsoft understands that products do not exist in a vacuum and must be deployed in diverse enterprises. Administrators need to be able to ensure that their installations will coexist with other systems, providing encryption for sensitive data, and preventing unauthorized entities from accessing important information. Communications. Microsoft maintains a commitment to communicating with customers. These communications begin with providing ample product documentation, and continue through a product's lifecycle by communicating information about vulnerabilities, service packs, training opportunities, and upgrades. As a hosted Web conferencing service, Live Meeting recognizes and respects the responsibility it assumes on behalf of its clients to emphasize security for all meetings and associated stored content. To provide its users with the confidence that their Web conferencing experience is protected, the Live Meeting service focuses significant effort toward addressing the three cornerstones of delivering a secure service: Access controls Content storage Data transmission

7 Microsoft Office Live Meeting Service Security Guide 3 This section discusses these three cornerstones in detail. Access Security The Live Meeting user interface provides a rich set of features to allow organizations to programmatically manage and control meeting ownership, access, participation, and content. By using these features, companies can establish and enforce their own security policies and procedures at a level appropriate to their needs. Meeting Ownership Live Meeting is designed for continuous collaboration and ongoing protection of sensitive data. In meetings where there is only one presenter, if the presenter exits the meeting for any reason, Live Meeting maintains the security policies of the meeting, and lets the original presenter assume control upon re-entering the meeting. In meetings with more than one presenter, Live Meeting grants additional privileges to only those people who have been designated as presenters by the meeting organizer. Under this strategy, organizers are assured that presenters maintain control of meeting data and other meeting capabilities, and that these capabilities do not fall into the hands of unauthorized meeting participants. In this way, Live Meeting maintains ownership security and continued access throughout the duration of the meeting. Access Control Live Meeting offers different levels of meeting access controls with varied degrees of security to address general public meetings, as well as highly confidential meetings. Live Meeting offers users of its Web conferencing services a choice of four increasingly stringent, authentication mechanisms to control access to their meetings, as listed below. Meeting organizers can select the access control mechanism that is best suited for their particular meeting event, ranging from public forums to private conferences, or can choose to combine controls so that attendees require different levels of authentication than presenters. The access control options are as follows: Open Meeting (Public Sessions). At this minimum-security level, any user in possession of the meeting URL or meeting ID can attend with no additional authentication required. Therefore, because audience members do not require a meeting key or user account, anyone can attend an open meeting. This mechanism is ideal for public events where a broad range of attendance and participation is welcome. Meeting Key (Optimum Security). When additional security is needed, presenters and audience members can be required to enter both a Meeting ID and a Meeting Key. The Meeting Key is a string composed of numbers, letters, and symbols of a length defined by the administrator, which is either randomly generated or defined by the meeting leader. Audience members and presenters use these keys to establish their level of permission for the meeting. For convenience, a Meeting Key can be replaced with a new key that the meeting leader chooses (up to 64 characters). Additional safeguards can be added to user password and meeting key complexity requirements, which give the administrator some flexibility to ensure that easily guessable passwords and keys are not used in their conference center. Access Control Lists (Maximum Security). At the high-security level, meeting organizers can create an access control list (ACL) against which all meeting attendees (presenters and audience members) are cross-referenced before being permitted to attend. The cross-referencing is achieved through the use of unique user IDs, which all meeting attendees (both presenters and audience members) are required to provide, in addition to passwords. This is the most secure access level because participants do not have the opportunity to change their display names, which means that meeting organizers are able to explicitly specify who is permitted to attend. Varying levels of access control can be applied differently to attendees and presenters to help ensure meeting security.

8 4 Microsoft Office Live Meeting Service Security Guide Lightweight Directory Access Protocol (LDAP) and Central Directory Service Integration (Customized Security). By taking advantage of the powerful application programming interfaces (APIs) that Live Meeting provides, meeting organizers and participants can be authenticated through their own corporate directory services. After they are authenticated through their own intranet, users can access their Live Meeting accounts to schedule and conduct meetings. Participation Control Live Meeting provides a mechanism that allows organizers to monitor and control their meetings in real time. The meeting client gives presenters the ability to dismiss any user from the meeting at any time, without disrupting the course of the meeting. Meeting organizers can control access to meetings with an access control list (ACL), which ensures that only those who have a membership in your Live Meeting account and who have specifically been invited can enter the meeting. It also ensures that during the meeting, you can verify the identity of attendees in the attendee list. This feature enables meeting presenters to quickly dismiss attendees who should not be present at certain times during the meeting, such as when confidential information is about to be introduced. It also provides a means of ejecting attendees who are proving unruly or disruptive. As an additional security measure, by enabling the Meeting Lobby feature in Live Meeting, presenters can, during the course of the meeting, control who is allowed into the meeting, regardless of whether they were previously authorized. Note Content Control Presenters retain control over their content. Meeting content can be uploaded to servers where only the meeting presenters can make changes to it. Content and meeting records can be programmatically saved or deleted at the organizer s discretion. For example, records of meetings and associated content can be automatically earmarked for deletion when certain conditions are met (for example, at the conclusion of each meeting, at the conclusion of meetings scheduled by particular users, and so on). Schedule Privacy Live Meeting is engineered so that meeting calendars and schedules can only be viewed by authorized and authenticated people. This helps ensure that meeting itineraries cannot be sought out or stumbled upon by unauthorized viewers. Attendance Tracking You can verify the identity of a meeting attendee only if the meeting was set up to use an access control list. In meetings that do not use an access control list, attendees are allowed to enter any display name. Live Meeting provides a mechanism to view attendee status in real time, and to disconnect participants, if necessary. The Support Control Panel not only lists the names of the participants, but also the IP address from which they connected, as well as information about their browser and operating system. To eject a participant, the meeting organizer merely has to select the appropriate name from the list and click the Disconnect User button at the bottom of the page. Live Meeting also provides an audit trail to capture details on every participant who attends a meeting. The Attendance Report lists the name, IP address, and role of each attendee (that is, presenter or audience member). The Attendance Report displays the exact time each participant arrived, as well as how long they remained connected. Optional fields that can be configured for each attendee to provide include address and company name. This information can also be listed in the Attendance Report.

9 Microsoft Office Live Meeting Service Security Guide 5 Content Storage Security Persistent Content Persistent content provides you with the convenience to use and reuse the same presentations after they are uploaded to the service. This can result in significant time savings for the meeting leader. While stored on the service, meeting content remains encrypted for the duration of the persistent storage. By default, meeting content automatically expires 90 days after the meeting ends. Organizers have the option to selectively delete presentation content at any time or set up automatic deletion of presentations using the Content Expiration feature. This lets users ensure that all data has been removed from the Live Meeting servers, if it is not being stored for future use. High Performance Uploading your presentation within the Live Meeting service provides higher performance. Because the Live Meeting hosting facilities have very high bandwidth connections to the Internet, your content is presented to all meeting participants as rapidly as possible. This architecture also minimizes any potential bottlenecks caused by slow connection rates from individual presenters. Software Security In the world of online security, threats can range from random attempts at penetration, such as those posed by automated vulnerability scanners, to targeted efforts to view and possibly usurp proprietary and confidential information. Such threats are real and growing. To combat these risks, eight separate layers of software security collectively enhance protection of the Live Meeting infrastructure, serving as a fortification around all customer data. Filtering Routers. Filtering routers reject attempts to communicate to non-routable IP addresses in our hosted environment. This helps to prevent common attacks that use automated vulnerability scanners searching for vulnerable servers. Although relatively easy to block, these types of attacks remain a favorite method of attackers in search of weaker defenses. Firewalls. Firewalls restrict data communication to known and authorized ports, protocols, and destination IP addresses. External access to the Live Meeting infrastructure is restricted to the ports and protocols that are required for the communications between the Live Meeting servers and the meeting participants. The Live Meeting firewall also performs packet inspection, which helps to ensure that the actual contents of the packets contain data in the expected format and conform to the expected client and server communication scheme. Intrusion Detection Systems. The Live Meeting service uses network-based intrusion detection systems (IDS) to perform real-time monitoring of incoming and outgoing traffic, looking for anomalies in the usual patterns for delivering Web conferencing services. The Live Meeting hosted environment is monitored 24 hours a day, 7 days a week and generates immediate notification of detected inappropriate activity, which is then analyzed. Corrective action is taken, if necessary. IDS performs protocol analysis (and can be used to detect a variety of attacks and probes, such as port scans) and attempts to communicate using inappropriate IP address ranges. Systems Level Security. The Live Meeting service is designed to help prevent other common types of malicious activity by disabling nonessential services, which have historically been known points of attack. Examples of some of these types of services include Telnet connectivity, sysadmin daemons, and printer services. Application Authentication. The Live Meeting service enables meeting organizers to enforce the level of participant authentication they feel is needed to protect their meetings. Meetings can be scheduled with a range of access controls, including strict use of Meeting Keys and access control lists, which require individuals to log on using unique user IDs and passwords. All passwords are stored using a one-way hash algorithm (SHA-256), providing an extra level of protection.

10 6 Microsoft Office Live Meeting Service Security Guide Application Level Countermeasures. The Live Meeting service implements countermeasures to help prevent common traps, such as buffer overflows, which have been successfully used by attackers for years to gain access to vulnerable software. Application input is bounds checked and security measures are constantly being hardened against the latest attacks and threats. Separate Data Network. The Live Meeting service isolates the actual servers that house data onto a network separate from the rest of the Live Meeting facility. This restricts access to the uploaded data to only a specified set of servers that reside behind the firewall inside the Live Meeting hosting facilities. Hosting Infrastructure Security The Live Meeting Web conferencing service is designed to be a secure and reliable Web conferencing solution. To insure the highest level of security, Live Meeting requires the stringent implementation of security policies within both the physical security measures of the hosting facility and the certification programs built into the hosting infrastructure. Physical Security Physical security starts with the design of the secure data centers located at Live Meeting co-location hosting facilities in the United States and the United Kingdom. State-of-the-art safeguards protect the Live Meeting Data Centers, including 24 hours a day, 7 days a week secured access, motion sensors, video surveillance cameras, biometric controlled access, and security breach alarms. These safeguards are designed to ensure that only authorized Live Meeting operations personnel gain access to these areas. Dedicated and Certified Security Personnel The contents of any Web presentation, live or recorded, visual or audio, and any presentation materials uploaded to the Live Meeting servers are treated as the intellectual property of the customer. Live Meeting employees and agents do not view these materials except as required to diagnose and support the service, and then only at the specific request of the customer (or as per legal process). In keeping with the Microsoft commitment to Trustworthy Computing, the Data Centers enforce clear policies to help ensure that any necessary viewing of such content is restricted to the authorized operations and technical staff that support the service. There are a strictly limited number of authorized Live Meeting personnel who have the ability to access customer Web conference sessions, and these personnel are closely supervised. Third Party Certifications The Live Meeting Web conferencing service is a Cybertrust certified service provider. The Cybertrust Security Management Program is a thorough security risk reduction and certification program that addresses all aspects of proactive information security, from network and system analysis to physical and policy inspection. Here is a brief excerpt that describes the value of this accreditation: The Cybertrust Security Management Program integrates multiple security practices and procedures to help organizations identify and mitigate risk to critical IT assets. The program also assists the organization with maintaining optimal security. More information is available at Data Transmission Security There are two key aspects to data transmission: the encryption used to send data over the Internet, and the manner in which data travels through the firewalls of each meeting participant. All encryption used by LiveMeeting is based on Industry/Government approved algorithms and standards.

11 Microsoft Office Live Meeting Service Security Guide 7 Encryption During a Live Meeting session, content is distributed over the public Internet to the participants of the meeting. All data that is transmitted between the Live Meeting client and the Live Meeting service is transmitted using advanced Transport Layer Security (TLS) encryption to help prevent unauthorized interception; this is the same technology that major financial institutions use to safeguard their online transactions. When uploaded presentation slides reach the Live Meeting Data Center, they are encrypted with 128- bit Advanced Encryption Standard (AES) encryption. During conferences, these slides are sent over the Internet in their encrypted format and are only decrypted after they are successfully received by each participant, when the presenter shows the slide to participants using the Live Meeting client. The attendees initiate TLS connections to a Live Meeting Data Center using the HTTPS (HTTP Secure) protocol, which encrypts data sent over that connection. Each participant uses a unique session key to initiate the encrypted client and server connection. After attendees establish an encrypted connection, they receive a private key for the AES-encrypted meeting slides over that safer connection. This approach lets Live Meeting take advantage of participants proxy servers while limiting the potential for exposing meeting content. Note The audio and video portions of a meeting cannot be transmitted through an authenticating proxy server. Although you could disable authentication to allow transmission of audio and video, this may not be an acceptable option for your organization. Firewall Policy and Auto Sensing Technology In order to accommodate the widest range of users, a Web conferencing service must be able to allow participants to connect from corporate environments that are often protected by firewalls. The nature of business communication today requires information workers to interact with people both inside and outside of their organization. Live Meeting Web conferencing employs unique technology to determine the most efficient communications transport allowed by a participant s firewall for use during the meeting. This approach reaches the widest number of users possible and involves choosing a communications transport independently for each user so that no one is forced to endure a slower connection because of the configurations of other users firewalls. What is Firewall Policy? Firewall policies define which packets are allowed into or out of the intranet. Packets coming into the intranet may be blocked because they have potential to expose computers located behind the firewall to attacks from people outside the firewall. Packets inside the firewall may be prohibited from passing outside of it to minimize the risk of sensitive information passing out of an owner s control. The most restrictive policy is to deny all transmissions across a firewall; you can accomplish this easily by disconnecting the two networks. Under these conditions, no Internet communications can pass to the intranet, and no intranet communications can pass to the Internet. This is sometimes the policy in extreme high-security networks. However, this means that users inside the intranet cannot access information on the Internet. For example, they are not able to use a browser to access the Web. Since such limitations are too extreme for most users, Information Technology (IT) departments that typically manage communication networks usually set more permissive policies. But the permissiveness of these policies varies considerably from organization to organization. Rules typically depend on specific protocols or ports as described in the following sections.

12 8 Microsoft Office Live Meeting Service Security Guide Firewall Policy: Protocols Protocols are the language of data communications. Different protocols can be used to transmit data from one computer to another. Certain protocols are more efficient or perform better for certain kinds of communication. Firewalls can also be configured to allow only certain protocols for data transmission. Web conferencing applications commonly use Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) as transport layer protocols, and HTTP as an application layer protocol. TCP. Technologies such as streaming audio and video, file transfers, and terminal emulators often use protocols such as TCP. A firewall administrator might want to prevent file transfers and would therefore establish a policy that allows only the HTTP or HTTPS protocol. UDP. Voice and video over the Internet sometimes use UDP. UDP is sometimes referred to as a best effort protocol, which means that the data packets are sent once and not re-transmitted, even if they were not successfully received and acknowledged. HTTP/HTTPS. IT departments often configure their firewalls to allow only packets that are using approved protocols to pass through. For example, most firewalls allow users to browse the Web, which uses protocols called Hypertext Transmission Protocol (HTTP) and Secure Hypertext Transmission Protocol (HTTPS). Firewall Policy: Ports Communications, which are written in certain languages or protocols, are targeted for approved locations, known in this context as ports. Ports describe the location to which the data packet will be transmitted at the destination address. Firewalls can limit the port ranges that data is permitted to travel. Firewalls can also have rules applied to restrict the direction (inbound, outbound) that data may travel and which communication channels can be initiated. By restricting the port, you can limit where communications are able to go. For instance, the standard port for the Web is port 80, and some firewall administrators configure their firewalls to allow HTTP traffic to go only to port 80. TCP. Some real-time collaboration tools are designed to require specific TCP ports, such as Session Initiation Protocol (SIP) over port Although SIP is approved by various international standards organizations, it is not universally enabled by firewall administrators. For this reason, it will not work across restricted firewalls. Users who want such products supported can ask their firewall administrators to "punch a hole" in the firewall to allow specific protocols and ports. But most firewall administrators are reluctant to do this without studying the protocols and products in depth to ensure that they will not make their intranets vulnerable to attack. Certifying protocols is often time consuming, even if configuring the firewall is straightforward. As a result, this approach is usually impractical for events that are not planned well in advance. Because of the performance advantages of direct TCP connections, Live Meeting automatically senses whether certain protocols are allowed through the firewall and uses them if allowed. HTTPS (Port 443). The Live Meeting service uses HTTPS and port 443 tunneling to ensure that communications are allowed through any firewall that supports Web browsing. Tunneling streaming data, such as that used in Live Meeting over a protocol like HTTPS, is less efficient, and thus adds some performance penalty. Live Meeting supports an HTTPS pass-through mode, but will only use this mode if a direct TCP connection cannot be established. Table 1 below outlines the protocols and ports that the Live Meeting client uses to connect to the Live Meeting Service. Note that not all the ports listed in the table below are required for Live Meeting Service functionality. The ports used for connectivity to the service are dependent on the outbound ports allowed through customer firewall configuration. Live Meeting automatically senses whether certain ports are allowed through the firewall and uses them if allowed.

13 Microsoft Office Live Meeting Service Security Guide 9 Table 1. Protocols and ports used by Live Meeting Function Source Destination Network/ Application Initiator Port(s) Receiver Port(s) Protocol Media session control 1 Live Meeting client Live Meeting Service (Access Proxy) TCP / SIP / TLS Live Meeting client Live Meeting Service (Access Proxy) TCP / SIP / TLS Media data transport to the Media Relay 3 Live Meeting client Live Meeting Service (Media Relay) UDP / STUN / TURN Live Meeting client Live Meeting Service (Media Relay) TCP / STUN / TURN Live Meeting client Live Meeting Service (Forwarder) 443 TCP / SRTP Media data transport to the Forwarder via TLS Live Meeting client Live Meeting Service (Forwarder) TCP / TLS Live Meeting client Live Meeting Service (Forwarder) TCP / TLS Web Access Live Meeting client Live Meeting Service (Web Server) 80 TCP / HTTP Live Meeting Web Access browser Live Meeting Service (Web Server) 443 TCP / HTTPS 1 The Live Meeting client connects to the Live Meeting Service Access Proxy on either port 5061/TCP or port 443/TCP, depending on the port that is allowed through the firewall. 2 To simplify local firewall policies, you can restrict the source port range by using the following Live Meeting client registry keys. However, a minimum of 20 ports (for example 50,000 50,019) are required to allow all Live Meeting audio and video scenarios to succeed. HKEY_CURRENT_USER\Software\Microsoft\Live Meeting\Console\Version 8.0\Attendee\MediaPortRangeMin HKEY_CURRENT_USER\Software\Microsoft\Live Meeting\Console\Version 8.0\Attendee\MediaPortRangeMax HKEY_CURRENT_USER\Software\Microsoft\Live Meeting\Console\Version 8.0\Presenter\MediaPortRangeMin HKEY_CURRENT_USER\Software\Microsoft\Live Meeting\Console\Version 8.0\Presenter\MediaPortRangeMax 3 The Live Meeting client connects to the Live Meeting Service Media Relay using 3478/UDP or 443/TCP, depending on the protocol and ports that are allowed through the firewall. 4 The Live Meeting client connects to the Live Meeting Service Forwarder on either port 8057/TCP or port 443/TCP, depending on the port that is allowed through the firewall. Auto Sensing Technology As this section has discussed, it is possible to choose different protocols to ensure the largest possible reach. However, most users are not aware of their firewall policy settings. Therefore, they are unable to manually select the optimal solution for their unique situations. Live Meeting provides unique auto sensing technology that automatically respects firewall policies and optimizes client and server communication policies strategically to offer each client a secure connection with the best performance possible. Each participant connecting to the Live Meeting service will use the most efficient method of the previous two options, based on what is permitted by their firewall policy.

14 10 Microsoft Office Live Meeting Service Security Guide Part II: Security Features for Conference Center Administrators Office Live Meeting includes several features to extend security, which help administrators configure Office Live Meeting in a secure manner by restricting memberships, enforcing passwords and meeting keys, and setting policies. Corporate Software Installation Policies To help safeguard desktops and computer networks, some corporations enforce policies that restrict installation of the software to administrators. In previous versions of the Windows-based Live Meeting client, a user was required to be a member of the local Administrators group to install the client. In this version, a user-mode Windows-based client can be installed without requiring Administrator credentials; however, the user will not be able to import documents, such as Microsoft Office Word or Microsoft Office Excel spreadsheet software documents, which use the MODI print driver. Note User mode installation is not supported on Windows Server Web-Based Client To best meet both the needs of system administrators and the needs of Live Meeting users, Live Meeting offers two different meeting client options. If an end user is running an operating system other than Windows or otherwise cannot install the software that is required to run the Windows-based Live Meeting client, the user can still use the Web-based meeting client. Both the web client and the client side application enforce the various security measures in place to protect the confidentiality and integrity of the meeting content. For more information about the Windows-based meeting client and the Web-based client, please refer to the Microsoft Office Live Meeting Administrator s Guide. Managing Memberships There are three different types of Live Meeting user roles Administrator, Organizer, and Member each with a specific set of user rights. This section is addressed to members in the Administrator role, who can create and manage memberships. When you create a new membership, you assign it a user role. Live Meeting grants access to conference center features by user role. It is therefore important to assign an appropriate user role to each new membership in the Live Meeting account. Note Organizers with Administrator privileges in previous versions of Live Meeting inherit the role of Administrator in this version of Live Meeting. Table 2 below describes all the privileges that can be assigned to a user role. An X denotes a privilege that is enabled for a user role by default. An administrator can modify the privileges associated with a user role at any time. An administrator can also grant or deny to individual users the right to access specific features.

15 Microsoft Office Live Meeting Service Security Guide 11 Table 2. Default user role privileges Privilege Administrator Organizer Member Account Administrator Rights X Address Book X X Meetings - Schedule Meeting and Meet Now X X Meetings - Meet Now Only Print to PDF Presenters Only Print to PDF All Participants X X App Sharing Single Application Only X X App Sharing Desktop and Single Application Custom Frame X X Recordings Create and Manage recordings X X Recordings Manage Existing Recordings Only Creating a Membership You create a membership to provide an individual in your organization with access to Live Meeting. The type of membership that you create for an individual will determine the level of access that the user has to Live Meeting features. For example, if you want to allow a user to schedule meetings, you would create a membership in the Organizer role. If you plan to control access to meetings with an access control list (ACL), you will also want to create memberships in the Member role for those who will only attend meetings. To create a new membership 1. Log on to the Live Meeting conference center with an account that is in the Administrator role. 2. On the My Home page, in the Administer section, click Account. 3. On the Account Administration Home page, click Memberships. 4. On the Administer Memberships page, click Create New Member. 5. In the Member Details section of the Create New Member page, in the appropriate boxes, type the user ID (user name), full address (such as someone@example.com), and first and last name of the member you want to create. 6. In the Password box, type the password for the membership. In the Confirm Password box, retype the password. 7. Optionally, in the Bill To text box, type the administrative code that your organization will use to bill the member s use of the Live Meeting service. 8. To send a system-generated welcome message to the member, select the Send Welcome check box. The message will contain the member s user login and password. 9. In the Time Zone list, click the time zone where the member is located.

16 12 Microsoft Office Live Meeting Service Security Guide 10. Under Member Privileges, in the Role list, click the Live Meeting role that you want to assign to the new member. 11. If you selected the Administrator role, to allow the member to make administrative changes to his or her own account, select the Account Administrator Privileges check box. 12. If you selected the Organizer or Administrator role, to allow the new member to view the Live Meeting address book, select the Address Book check box. 13. If you selected the Organizer or Administrator role, to allow the member to schedule meetings, in the Meeting Types list, click Schedule Meeting and Meet Now. To prevent the member from scheduling meetings, click Meet Now Only. 14. If you allow the member to schedule meetings, select or clear the appropriate check boxes to allow or deny the member the ability to use the following Live Meeting features in meetings the member schedules: Application Sharing. If you enable this option, use the Application Sharing list to specify whether the member can share only a single application or share the desktop and a single application. Print to PDF. If you enable this option, use the Print to PDF list to specify whether all participants or only presenters can print slides and other documents associated with the meeting as Adobe Acrobat files (.pdf). Custom Frame. This feature allows the member to include a custom streaming media frame in the meetings that this member organizes. Recording to server. If you enable this option, use the Recording to server list to specify whether the member can only manage existing recordings or create new recordings and manage existing recordings. Recording to participant s computer. If you enable this option, use the Recordings list to specify whether to only allow presenters to record or to allow presenters to record and permit attendees to record. 15. To add the member to a group, under Member Groups, in the Available Groups list, click the group to which you want to add the member, and then click Add. 16. Click Submit. Restricting Memberships All users whose membership is in the Administrator role can access settings that affect your organization s Live Meeting account. Administrators can create new memberships and modify privileges on user roles or on existing memberships. It is important to manually monitor the Administrator memberships that are created on the account in order to prevent abuse of the privileges entrusted to the Administrator role. Consider limiting the number of memberships in the Administrator role. You can restrict or deny a user s access to the Live Meeting conference center by changing the user role associated with the membership. For example, a user in the Member role cannot create new meetings but can access any existing meetings or recordings associated with the user login. If an individual leaves your organization, you must delete not only the individual s network account but also his or her Live Meeting membership. However, when you delete a membership, the meetings and slide sets associated with the membership are also deleted. For this reason, you might prefer instead to restrict a user s access to the conference center by changing the user login and password of the membership. If you change only the password, the user can still use the automated password reset tool to reset the password and regain access to the account.

17 Microsoft Office Live Meeting Service Security Guide 13 Enforcing Password and Meeting Key Policies Administrators can control the level of complexity required for users passwords. For new conference centers, the default requirement is that passwords contain at least one capital letter. Administrators can implement additional requirements, as discussed below in the section, Conference Center Account Policies. The more complexity rules that are required by the administrator (configurable by using a set of check boxes in Live Meeting Manager), the stronger the passwords and the greater likelihood that your Live Meeting account security will not be breached because a hostile user determined a member s password. We recommend that you enforce complex passwords and require users to change their passwords periodically. Administrators can reset passwords for individual member accounts. Password and meeting key policies are described in detail in the following section. Live Meeting Policies Live Meeting policies impose specific security measures with no further action on your part. Conference center account policies affect all users who log in to your conference center account. User role policies affect all users whose memberships are in a specific role. You can also specify exceptions to policies for individual Live Meeting members. Conference Center Account Policies Certain features must be enabled as part of the conference center account policies before they are available as options to meeting organizers. The policies affect all users of the conference center. Live Meeting conference center account policies fall into the following categories: Meeting policies Password and meeting key policies Audio policies Meeting Policies Features that can be enabled or disabled at the conference center account level are: enforced content expiration, meeting lobby, and recording. Figure 1 below shows the Edit Meeting Policies page.

18 14 Microsoft Office Live Meeting Service Security Guide Figure 1 The Edit Meeting Policies page The Edit Meeting Policies page contains the following features: Content Expiration. Enforce content expiration in order to automatically delete meeting resources from the server at a set time after meetings have ended. If you do not enforce content expiration and an organizer does not enable content expiration for a meeting, the meeting resources will remain on the server until the organizer manually deletes them. Meeting Lobby. The Meeting Lobby is a space where people can request to join a meeting when either they do not have an invitation or they have been invited, but the meeting is locked. The Meeting Lobby is similar to a no reservation audio conference, in which attendees can attempt to join a meeting at any time, regardless of their invitation status. The security risk inherent to the Meeting Lobby is that anyone can enter the Meeting Lobby without providing a meeting key. Because Live Meeting does not authenticate users who appear in the Meeting Lobby, you have to rely on other means, such as the telephone, , or instant

19 Microsoft Office Live Meeting Service Security Guide 15 messaging, to verify the identity of the person requesting access to the meeting from the Meeting Lobby. You can instruct organizers on the risks and appropriate use of the Meeting Lobby, or you can disable the Meeting Lobby feature. If you disable the Meeting Lobby at the conference center account level, it is not available as an option for organizers to choose when they schedule meetings. Recordings. Recordings are not encrypted while stored on the service, nor are they encrypted in transit. Disable recordings if you are concerned about storing potentially confidential or sensitive information in any form on the Live Meeting service. Enable recordings in order to allow presenters to record their meetings. If you enable recordings as part of the conference center account policies, organizers can enable recording when they configure meeting options. Even when recording has been enabled for a meeting, the meeting is not recorded until a presenter manually starts recording. Organizers can permit meeting participants to only view recordings on the server unless you explicitly allow organizers to permit meeting participants to also download recordings. Handouts. A feature of this release is the ability for organizers or presenters to upload handouts to a meeting, which can be downloaded by attendees to their own computers. Administrators can choose whether to allow this feature for their conference center, and then specify the file types that are allowed. While stored on the service, handouts are protected via encryption. Password, Meeting Key, and Recording Key Policies Password, meeting key, and recording key policies determine whether or not users can change their own passwords, whether passwords are required to be complex, and whether only server-generated meeting keys and recording keys are valid. Password, meeting key, and recording key policies also dictate the minimum length and complexity requirements for passwords and keys. Complexity requirements apply to both passwords and keys. If the password and key policies for the conference center do not have sufficient complexity requirements, meeting organizers can potentially schedule meetings with meeting and recording keys that are easy to guess. Complex keys help make it more difficult for unauthorized and uninvited persons to join a meeting. To edit password, meeting key, and recording key policies 1. Log in to the Live Meeting conference center with a membership that is in the Administrator role. 2. On the My Home page, in the Administer section, click Account. 3. On the Account Administration Home page, click Roles and Policies. 4. Next to Password and Meeting Key Entry Code/Recording Key Policies, click Edit. 5. Select the following check boxes for each policy that you want to enable: Allow users to change their passwords User passwords must meet additional complexity requirements Meeting Entry code and Recording Key must meet additional complexity requirements Only the Meeting Entry Codes and Recording Keys generated by the server are valid 6. Under Additional Complexity Requirements, in the Minimum Length box, type the minimum number of characters required for passwords and meeting keys. 7. Select the following check boxes for each complexity requirement that you want to enable: Meeting Entry Code, Recording Key and Password must contain at least one number Meeting Entry Code, Recording Key and Password must contain at least one uppercase letter

20 16 Microsoft Office Live Meeting Service Security Guide Meeting Entry Code, Recording Key and Password must contain at least one lowercase letter Meeting Entry Code and Recording Key cannot contain the meeting ID; passwords cannot contain the user ID Meeting Entry Code, Recording Key and Password must begin and end with a number or letter Meeting Entry Code, Recording Key and Password must contain at least one character from the set `~!@#$%^&*()_+-={} []\:";'<>?,./ 8. Click Submit. Audio and Video Policies Use audio and video policies to enable the following audio and video features for participants: Enable Join Conference - Participants can have their conference provider call their phone. If your audio conferencing producer supports the Join Conference feature, you can use audio policies so that meeting participants can have the Live Meeting service call them. invitations for meetings where the audio is supplied by the Join Conference feature or traditional phone conferencing include the phone number and participant code. If the invitation is accidentally forwarded by a meeting participant, the result could be unwanted participants on the conference call. Enable computer audio conferencing from this Conference Center. This option makes the Computer Audio Conferencing feature available to members of the account for use in their meetings. Enable one way Internet Broadcast Audio from this Conference Center. This option makes the Internet Audio Broadcast feature available to members of the account for use in their meetings. If a meeting is configured to use Internet audio broadcasting, no meeting phone numbers or participant codes are included in the invitation. If Internet audio broadcasting is used, the only way to receive audio from the meeting is to join the Live Meeting. This option is available only if your account has licensed the Internet Audio Broadcast (IAB) feature. Enable Active Presenter Video for this Conference Center. This option allows members of the account to allow the active meeting presenter to show their video in the meeting. Enable Publishing of Leader Code to presenters in meeting invites and console. This option allows members of the account to publish the leader audio code in the invitations and meeting client. Conference Center Account Preferences Account preferences specify for all members in your organization s Live Meeting account the default meeting size, streaming media custom pane URLs, audio preferences, invitation preferences, and recording preferences. For example, invitation preferences and recording preferences affect Live Meeting security. When you configure invitation preferences as part of the account default preferences, you can enable integration with Outlook so that meeting organizers can send invitations from their own program. By using an program to send the invitation, the organizer can encrypt the invitation using whatever encryption methods the program supports. The recording preferences that are configured as part of the account default preferences specify whether all meeting participants or only the meeting organizer and Live Meeting administrators can use meeting entry information to view recordings of a meeting. Organizers and Administrators can always grant access to recordings to individual users.