Overview
"Zoombombing" happens when a non-secured meeting ID is shared or guessed and an uninvited anonymous attendee connects and eavesdrops or sometimes shares inappropriate content. Below are a number of strategies you can use, both when creating/scheduling your Meetings, and from your Profile settings.
**Zoom is updating the desktop client software more frequently than usual; if you receive a message to update your software, please do so.**
I. Security During Setup/Creation of Your Meeting
A. Set a Strong Meeting Password
B. Enable the Meeting Waiting Room
C. Disable “Join Before Host” Setting
D. Adjust Your Profile for Screensharing During Meetings
E. Add One or More Co-Hosts for Meetings with Many Participants
F. Scheduling Meetings via Outlook Plugin
II. Security During Your Zoom Meeting
A. Lock the Meeting
B. Removing an Unauthorized Participant from a Meeting
C. Prevent Participants from Screen Sharing
D. Prevent Participants from Unmuting Themselves
E. Prevent Participants from Sending Files in Chat
F. Prevent Participants from Saving a Local Recording
III. How to Report an Incident of “Zoombombing”
A. Gather as Much Information as Possible
B. Submit an ASCTech Ticket
Some techniques you can use while you create or set up your Zoom Meeting:
When you set up your meeting, you can require that a password be used to join the Meeting. In Meeting settings:
In this example, the Meeting password is 10 characters long, and uses both upper- and lower-case letters, numbers and special characters. Participants must provide this password to join the meeting – but note that if you have used the “Copy Invitation” area when creating your meeting, the password information is included in that text. You may wish to send a separate email or choose a different method of communicating the Meeting password (e.g., SMS text to Participants’ phones). You can also change settings in your profile so that a password is required for all scheduled meetings, and/or all instant meetings, and/or for any meetings you set up with your Personal Meeting ID (PMI).
Setting a Waiting Room creates a holding area for all Participants, who can only enter the Meeting when you, as the host, allows (either one by one, or as a group). If you wish to make the Waiting Room a default for all your Meetings, enable this setting in your CarmenZoom profile settings, and choose whether this function will be used for (the default) All Participants or Guests only:
Each Participant attempting to join the meeting will see a dialog box with the message, "The meeting is waiting for the host to join." You can customize the dialog box displayed to Participants when they join, with a title, logo and description. If the "Enable Waiting Room" setting is checked, the "Join Before Host" option does not work. Once Waiting Room setting is enabled in this way, it is enabled for all Meetings:
The "Join Before Host" setting controls whether Participants can enter the Meeting room before the host joins. By unchecking this setting, any Participants attempting to join the meeting will see a dialog box with the message, "The meeting is waiting for the host to join." (However, as mentioned above, if the Waiting Room is enabled for a Meeting, the "Enable Join Before Host" setting does not function.)
You may wish to adjust your Profile settings to manage your meeting defaults relating to screensharing options.
There are toggles in this area which control disabling screensharing altogether (restricting sharing to only selected applications), control whether Participants can annotate shared screens, and whether Participants may share the Zoom whiteboard during a Meeting. See also: Prevent Participants from Screen Sharing, for managing screensharing during Meetings.
Including an alternative host, or elevating one or more Participants to the role of Co-host once the Meeting is started, makes it easier to monitor the Participants area, as well as the Chat area. Co-host(s) can remove any unauthorized or disruptive Participants, and/or can lock the meeting (see above for more detailed instructions). Co-hosts should scroll down the Participants list a few times during the Meeting to monitor who is attending.
Adding a Meeting to an Outlook calendar through the Outlook plugin may expose the password to anyone who has viewing permissions on that calendar, because the password is included in the calendar entry by default. To get around this problem, either make such calendar entries private or edit the text to remove the password.
In addition to settings affecting each meeting, Meetings hosts have additional methods of managing what Participants can (or can’t) do during a Zoom meeting.
As a security precaution, once all Participants have joined, the Meeting can be locked to prevent anyone else from joining:
- Make sure the Participants area is showing (select Manage Participants from the Meeting controls, at the bottom of the Meeting window).
- In the additional controls at the bottom of the Participants area, click on “More” (the three dots in the grey circle).
- Select “Lock Meeting”.
Use these same steps to unlock the meeting, should that be required. Note that once a Meeting has been locked, no one else may join - but there will not be any notifications to the host at that point if additional Participants try to join. You will want to wait to lock a Meeting until you are sure that all Participants are in the Meeting.
Once the Meeting has been started, Participants can be manually removed:
- Make sure the Participants area is showing (select Manage Participants from the Meeting controls, at the bottom of the Meeting window).
- At the entry for the Participant to be removed, select “More”.
- In the list that pops up, select “Remove”.
In the Meeting controls, click the arrow next to “Share Screen” and click “Advanced Sharing Options”:
In the dialog box that comes up, under “Who can share?”, make sure the radio button for ”Only Host” is selected:
See also: Adjust Your Profile for Screensharing During Meetings, about adjusting your default Profile screensharing settings.
You also can enable or disable muting options at the bottom of the Participants list - at the bottom of Participants list, click the “More” pulldown and _uncheck_ “Allow participants to unmute themselves”:
You can stop a Participant’s video stream at any time during the meeting: in the Participants area, click on the video camera icon next to the person’s name so the icon is crossed out:
If that Participant has not started their video, this option will show up as “Ask to Start Video”.
Toggle this ability for Participants in Profile settings, under "In Meeting (Basic)".
If you do set your Profile to allow file transfers, you can still limit the types of files that can be sent through the Chat area:
You may need to prevent any recordings being made of your Meeting, other than what you directly control; you can disable the ability of Participants to make a local recording of the Meeting. (Attendees do not have access to start a cloud recording.) In the Participants area, hover over a Participant name and click “More” to expand the options:
Make sure the “Allow Record” option is unchecked.
If you have experienced an incident of “Zoombombing,” know that the OSU takes these incidents quite seriously; the team investigates all reports received. It is extremely beneficial for the ODTI staff to capture as much information as possible, to facilitate getting ahead of these disruptions. Remember that all such incidents are a problem with the disruptors, not you – and ASCTech works with ODTI to ensure that your Zoom meetings are as problem-free as possible.
In these cases, more information is better; if you are able, please note down the following details (both from your own Profile settings and from the individual Meeting settings):
- The Zoom meeting ID(s) and date/ time details, if the meeting information still exists (OTDI understands that sometimes a user may have to delete a meeting to stop the harassment as quickly as possible);
- Whether a cloud or local recording was made, and can be provided to the OTDI team;
- Whether the chat transcript is still available (these files are always local);
- Any and all details you can provide about both your own Profile settings, and settings relating to the Meeting itself (again, this helps OTDI to continue to monitor and develop methods to zoombombers’ getting access in future);
- Any other details you want to share about what transpired, and/or anything that you think would be helpful to OTDI.
If you can, please create a ticket for ASCTech with all of the above information; however, if submitting a ticket is not possible, a phone call to your local ASCTech support personnel is also appropriate. With the report information you provide, the OTDI team responsible for handling these incidents will respond directly, and also escalate to the Office of Inclusion and Equity (OIE), as well as IT Security.