Windows Meeting Space and Resulting Internet Communication in Windows Vista
In This Section
Benefits and Purposes of Windows Meeting Space
Overview: Using Windows Meeting Space in a Managed Environment
How Windows Meeting Space Communicates Across the Internet
Controlling Windows Meeting Space to Limit the Flow of Information to and from the Internet
Procedures for Configuration of Windows Meeting Space
Benefits and Purposes of Windows Meeting Space
Windows Meeting Space is a feature of Windows Vista that enhances computer-based meetings and collaboration between users. With Windows Meeting Space, groups can quickly form a shared, common session for up to ten people who have connectivity between their computers. Those joining the meeting session must use a password, which helps maintain security for the session.
In a meeting supported by Windows Meeting Space, participants can "project" their desktops or applications to other participants or to any Windows Vista compliant Network Projector. Meeting participants can also share a file with a group in a common work area and then jointly edit the file. Even if no connection to a fully configured network is available, users can effectively collaborate with other users by using an ad-hoc mode. (The ad-hoc mode cannot cause communication across the Internet, so it is outside the scope of this white paper.)
A user can initiate a meeting through Windows Meeting Space and then invite other users to join. The invitations can take several forms, including e-mail based invitations or file-based invitations.
Windows Meeting Space is intended to make collaboration easy for people who are in the same room. Therefore, only in specific circumstances would a meeting created through Windows Meeting Space involve communication across the Internet. For more information about the meetings that would involve communication across the Internet, see "How Windows Meeting Space Communicates Across the Internet."
To learn more about how Windows Meeting Space works, see the informational page on the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=71528
Security-Related Features in Windows Meeting Space
Windows Meeting Space in Windows Vista includes a variety of security-related features, including:
Password protection: Windows Meeting Space requires a password for each meeting that users set up or join. By default, in the context of a domain, such passwords must be as strong as a domain user account password. In other words, such passwords must follow the same password policies (such as password complexity) as the logon password of the user.
Note that the password strength requirement in Windows Meeting Space can be disabled through Group Policy. This Group Policy is not described in this section, because in a managed environment, it is assumed that you want to require strong passwords.
Data encryption: In Windows Vista, Windows Meeting Space uses Transport Layer Security (TLS) version 1.0. When users create or participate in a meeting, Windows Meeting Space uses certificates (unseen by users) for encryption of the meeting password and of all information exchanged between users during the meeting.
Windows Meeting Space auditing: By default, Windows Meeting Space auditing is disabled, but if you enable it, you can log information about Windows Meeting Space activity. The log where this information is captured is in Event Viewer under Applications and Services Logs\Microsoft\Windows\MeetingSpace.
The log can capture relevant details when the following actions occur in Windows Meeting Space:
The local user creates or joins a meeting
A remote user joins a meeting
A presentation is started or stopped
A file is shared
For instructions for enabling Windows Meeting Space auditing by using Group Policy, see "Procedures for Configuration of Windows Meeting Space," later in this section.
Overview: Using Windows Meeting Space in a Managed Environment
In a managed environment, you might want to use Group Policy to disable Windows Meeting Space completely, or to disable aspects of Windows Meeting Space, such as file sharing (or the ad-hoc wireless feature of Windows Meeting Space). You can also use Group Policy to enable auditing of Windows Meeting Space activity (to save auditing information in logs on individual computers running Windows Vista). For more information, see "Procedures for Configuration of Windows Meeting Space," later in this section.
How Windows Meeting Space Communicates Across the Internet
Before Windows Meeting Space can be used to create a meeting that causes communication across the Internet, the following must be true:
All users must have a connection to the Internet.
All users must have a globally routable IPv6 address, that is, an appropriate technology must be in place so that the users' computers can use IPv6 addresses to communicate. Examples of such technologies include native (end-to-end) IPv6, 6to4, Teredo, and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) servers. For more information, see the links in Internet Protocol Version 6, Teredo, and Related Technologies in Windows Vista in this white paper.
A user who invites someone to the meeting must have a way to deliver the invitation, for example, through e-mail or by transferring a file-based invitation.
A user who invites someone to the meeting must have a way to tell that other user the password for the meeting.
Anyone who wants to join the meeting through an Internet connection cannot join through People Near Me or Sessions Near Me. In other words, a person who wants to join a meeting through an Internet connection must receive an e-mail or file-based invitation. (People Near Me traffic does not travel outside the user's subnet and therefore cannot travel across the Internet.)
Firewalls between the users must not block the ports or programs required by Windows Meeting Space. These firewalls might be the local firewall software on a client computer, or a separate firewall running on a server. For more information, see "Windows Firewall Settings for Windows Meeting Space," later in this section.
Communication by Windows Meeting Space Across the Internet
The following list provides details about how Windows Meeting Space communicates across the Internet when the criteria in the preceding list are met:
Specific information sent or received: The meeting invitation (e-mail or file-based) includes the following:
Name of the inviter (as specified for People Near Me)
Name chosen for the meeting
IPv6 addresses of the inviter
Programmatic information generated by Windows Meeting Space, including an identifier for the meeting, a Peer Name Resolution Protocol (PNRP) cloud name, and a PNRP cloud scope
Version of Windows Meeting Space and version of the invitation
Time
Note that when a user creates an e-mail invitation for Windows Meeting Space, the e-mail uses the SMAPI (Simple MAPI) standard, which means the invitation is attached to the e-mail message.
Information exchanged during the meeting (for example, a file that is sent) is sent using point-to-point connections.
Default settings: In Windows Vista, by default, a user can start the Windows Meeting Space interface. However, with the recommended default settings in Windows Vista, Windows Firewall is turned on and uses settings that block Windows Meeting Space. Therefore, the first time that a user starts Windows Meeting Space, it offers a prompt through which the correct exceptions for Windows Firewall can be configured. In the prompt, labeled Setup Windows Meeting Space, the user can click Enable file synchronization and Windows Firewall exception. The user is also prompted to enable People Near Me (with a security warning that provides more information) and to specify a name to use with People Near Me. (For details about the firewall settings, see "Windows Firewall Settings for Windows Meeting Space," later in this section.)
Triggers: Communication through Windows Meeting Space begins when people join a meeting. Before people can join the meeting, someone must create the meeting, set up the meeting password, and send an invitation (as e-mail or a file) to at least one other person. Anyone in the meeting can send an invitation to someone else, with a limit of ten attendees. Anyone joining the meeting must receive an invitation and must know the password that was set up by the person who created the meeting.
Logging (auditing): By default, Windows Meeting Space auditing is disabled, but if you enable it, you can log information about Windows Meeting Space activity. For more information, see "Security-Related Features in Windows Meeting Space," earlier in this section and "Procedures for Configuration of Windows Meeting Space," later in this section.
Encryption: In Windows Vista, Windows Meeting Space uses Transport Layer Security (TLS) version 1.0. When users create and participate in a meeting, Windows Meeting Space uses certificates (unseen by users) for encryption of the meeting password and of all information exchanged between users during the meeting.
Access: No information is stored at Microsoft.
Transmission protocol and port: See "Windows Firewall Settings for Windows Meeting Space," later in this section.
Ability to disable: You can use Group Policy to disable Windows Meeting Space. You can also use Group Policy to disable aspects of Windows Meeting Space, such as file sharing. (However, to disable file sharing for Windows Meeting Space, you must disable Distributed File System Replication.)
Windows Firewall Settings for Windows Meeting Space
The following tables provide details about the automatic configuration of Windows Firewall that is available through Windows Meeting Space when it is first started.
Windows Firewall ports opened by automatic configuration for Windows Meeting Space
Protocol | Port |
---|---|
TCP |
801 |
TCP |
3587 |
UDP |
1900 |
UDP |
3540 |
UDP |
3702 |
Windows Firewall exceptions created by automatic configuration for Windows Meeting Space
Application | Path |
---|---|
Netproj.exe |
systemroot\System32\netproj.exe |
P2phost.exe |
systemroot\System32\p2phost.exe |
Wincollab.exe |
ProgramFiles\Windows Collaboration\WinCollab.exe |
Controlling Windows Meeting Space to Limit the Flow of Information to and from the Internet
You can control Windows Meeting Space to limit the flow of information to and from the Internet by using Group Policy. With Group Policy, you can accomplish one or more of the following:
Disable file sharing in Windows Meeting Space. However, to do this, you must disable the Distributed File Sharing (DFS) Replication service, which might affect other services and applications in your organization.
Control which file types can be shared in Windows Meeting Space. You can do this through Group Policy settings for Attachment Manager, an underlying feature on which Windows Meeting Space depends.
Enable auditing of Windows Meeting Space activity.
Disable Windows Meeting Space completely.
For details about using Group Policy to accomplish items in the preceding list, see "Procedures for Configuration of Windows Meeting Space," later in this section.
For information about using a Group Policy extension that contains settings for wireless networks, including settings that could disable the ad-hoc wireless feature of Windows Meeting Space, see "Additional References," later in this section.
For more information about using Group Policy, see Appendix B: Resources for Learning About Group Policy for Windows Vista.
Procedures for Configuration of Windows Meeting Space
The procedures in this section describe how to use Group Policy to:
Disable file sharing in Windows Meeting Space. However, to do this, you must disable the Distributed File Sharing (DFS) Replication service. If you use the DFS Replication Service for file and folder replication in your organization, do not perform this procedure.
Locate Group Policy settings for Attachment Manager that affect the file types that can be shared in Windows Meeting Space. Attachment Manager is an underlying feature on which Windows Meeting Space depends.
Enable auditing of Windows Meeting Space activity.
Disable Windows Meeting Space completely.
For information about using a Group Policy extension that contains settings for wireless networks, including settings that could disable the ad-hoc wireless feature of Windows Meeting Space, see "Additional References," later in this section.
To Disable File Sharing in Windows Meeting Space by Using Group Policy to Disable the DFS Replication Service
You can use Group Policy to disable the DFS Replication service, which will disable file sharing in Windows Meeting Space.
Important
If you use the DFS Replication Service for file and folder replication in your organization, do not perform this procedure.
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate Group Policy object (GPO).
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then click System Services.
In the details pane, double-click DFS Replication, click Define this policy setting, and then click Disabled.
Important
You will only see the preceding setting in a Group Policy object that affects a domain, organizational unit, or site. The setting is not available for local Group Policy.
To Locate Group Policy Settings for Attachment Manager that Affect the File Types that Can Be Shared in Windows Meeting Space
As needed, see Appendix B: Resources for Learning About Group Policy for Windows Vista, and then edit an appropriate GPO.
Expand User Configuration, expand Administrative Templates, expand Windows Components, and then click Attachment Manager.
View the Group Policy settings that are available.
For a detailed explanation of a setting, select the setting and click the Extended tab, or open the setting and click the Explain tab.
For information about how these settings work with Attachment Manager, an underlying feature that controls how Windows Meeting Space handles file sharing, see the following article in the Microsoft Knowledge Base:
To Enable Auditing of Windows Meeting Space by Using Group Policy
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate GPO.
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Administrative Templates, expand Windows Components, and then click Windows Meeting Space.
In the details pane, double-click Turn on Windows Meeting Space auditing, and then click Enabled.
For a description of the kinds of information that can be captured when auditing is enabled for Windows Meeting Space, see "Security-Related Features in Windows Meeting Space," earlier in this section.
To Disable Windows Meeting Space by Using Group Policy
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate GPO.
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
If you want the policy setting to apply to all users of a computer and to come into effect when the computer starts or when Group Policy is refreshed, expand Computer Configuration. If you want the policy setting to apply to users and to come into effect when users log on or when Group Policy is refreshed, expand User Configuration.
Expand Administrative Templates, expand Windows Components, and then click Windows Meeting Space.
In the details pane, double-click Turn off Windows Meeting Space, and then click Enabled.
Additional References
For links to information about IPv6, see Internet Protocol Version 6, Teredo, and Related Technologies in Windows Vista in this white paper.
For information about Windows peer-to-peer networking, see the article on the TechNet Web site at: