Securing Zoom Meetings

Summary

Steps to help secure a Zoom meeting (includes some Meeting-specific settings, and some setup recommendations).

Body

Overview

"Zoombombing" happens when a non-secured meeting ID is shared or guessed and an uninvited anonymous attendee connects and eavesdrops or sometimes shares inappropriate content. Below are a number of strategies you can use, both when creating/scheduling your Meetings, and from your Profile settings.

**Zoom is updating the desktop client software more frequently than usual; if you receive a message to update your software, please do so.**

I. Security During Setup/Creation of Your Meeting

A. Set a Strong Meeting Password

B. Enable the Meeting Waiting Room

C. Disable “Join Before Host” Setting

D. Adjust Your Profile for Screensharing During Meetings

E. Add One or More Co-Hosts for Meetings with Many Participants

F. Scheduling Meetings via Outlook Plugin

II. Security During Your Zoom Meeting

A. Lock the Meeting

B. Removing an Unauthorized Participant from a Meeting

C. Prevent Participants from Screen Sharing

D. Prevent Participants from Unmuting Themselves

E. Prevent Participants from Sending Files in Chat

F. Prevent Participants from Saving a Local Recording

III. How to Report an Incident of “Zoombombing”

A. Gather as Much Information as Possible

B. Submit an ASCTech Ticket

Security During Setup/Creation of Your Meeting

Some techniques you can use while you create or set up your Zoom Meeting:

 

Set a Strong Meeting Password

When you set up your meeting, you can require that a password be used to join the Meeting. In Meeting settings:

Zoom Meeting Setting: Password Entry Textfield

 

In this example, the Meeting password is 10 characters long, and uses both upper- and lower-case letters, numbers and special characters. Participants must provide this password to join the meeting – but note that if you have used the “Copy Invitation” area when creating your meeting, the password information is included in that text. You may wish to send a separate email or choose a different method of communicating the Meeting password (e.g., SMS text to Participants’ phones). You can also change settings in your profile so that a password is required for all scheduled meetings, and/or all instant meetings, and/or for any meetings you set up with your Personal Meeting ID (PMI).

 

Enable the Meeting Waiting Room

Setting a Waiting Room creates a holding area for all Participants, who can only enter the Meeting when you, as the host, allows (either one by one, or as a group). If you wish to make the Waiting Room a default for all your Meetings, enable this setting in your CarmenZoom profile settings, and choose whether this function will be used for (the default) All Participants or Guests only:

Zoom Profile Settings: Enable Waiting Room

 

Each Participant attempting to join the meeting will see a dialog box with the message, "The meeting is waiting for the host to join." You can customize the dialog box displayed to Participants when they join, with a title, logo and description. If the "Enable Waiting Room" setting is checked, the "Join Before Host" option does not work. Once Waiting Room setting is enabled in this way, it is enabled for all Meetings:

Zoom Meeting Settings: Waiting Room Enabled

 

Disable “Join Before Host” Setting

The "Join Before Host" setting controls whether Participants can enter the Meeting room before the host joins. By unchecking this setting, any Participants attempting to join the meeting will see a dialog box with the message, "The meeting is waiting for the host to join." (However, as mentioned above, if the Waiting Room is enabled for a Meeting, the "Enable Join Before Host" setting does not function.)

Zoom Profile Settings: Disable Join Before Host

 

Adjust Your Default Settings for Screensharing During Meetings

You may wish to adjust your Profile settings to manage your meeting defaults relating to screensharing options.

Zoom Profile Settings: Screenshare Settings

 

There are toggles in this area which control disabling screensharing altogether (restricting sharing to only selected applications), control whether Participants can annotate shared screens, and whether Participants may share the Zoom whiteboard during a Meeting. See also: Prevent Participants from Screen Sharing, for managing screensharing during Meetings.

 

Add One or More Co-Hosts for Meetings with Many Participants

Including an alternative host, or elevating one or more Participants to the role of Co-host once the Meeting is started, makes it easier to monitor the Participants area, as well as the Chat area. Co-host(s) can remove any unauthorized or disruptive Participants, and/or can lock the meeting (see above for more detailed instructions). Co-hosts should scroll down the Participants list a few times during the Meeting to monitor who is attending.

 

Scheduling Meetings via Outlook Plugin

Adding a Meeting to an Outlook calendar through the Outlook plugin may expose the password to anyone who has viewing permissions on that calendar, because the password is included in the calendar entry by default. To get around this problem, either make such calendar entries private or edit the text to remove the password.

 

Security During Your Zoom Meeting

In addition to settings affecting each meeting, Meetings hosts have additional methods of managing what Participants can (or can’t) do during a Zoom meeting.

Lock the Meeting

As a security precaution, once all Participants have joined, the Meeting can be locked to prevent anyone else from joining:

  • Make sure the Participants area is showing (select Manage Participants from the Meeting controls, at the bottom of the Meeting window).
  • In the additional controls at the bottom of the Participants area, click on “More” (the three dots in the grey circle).
  • Select “Lock Meeting”.

Zoom Meeting Settings: Lock Meeting

 

Use these same steps to unlock the meeting, should that be required. Note that once a Meeting has been locked, no one else may join - but there will not be any notifications to the host at that point if additional Participants try to join. You will want to wait to lock a Meeting until you are sure that all Participants are in the Meeting.

 

Removing an Unauthorized Participant from a Meeting

Once the Meeting has been started, Participants can be manually removed:

  • Make sure the Participants area is showing (select Manage Participants from the Meeting controls, at the bottom of the Meeting window).
  • At the entry for the Participant to be removed, select “More”.
  • In the list that pops up, select “Remove”.

Zoom Meeting Settings: Remove Participant

 

 

Prevent Participants from Screen Sharing

In the Meeting controls, click the arrow next to “Share Screen” and click “Advanced Sharing Options”:

Zoom Meeting Settings: Advanced Meeting Controls

 

In the dialog box that comes up, under “Who can share?”, make sure the radio button for ”Only Host” is selected:

Zoom Meeting Controls: Screensharing Options

 

See also: Adjust Your Profile for Screensharing During Meetings, about adjusting your default Profile screensharing settings.

 

Prevent Participants from Unmuting Themselves

You also can enable or disable muting options at the bottom of the Participants list - at the bottom of Participants list, click the “More” pulldown and _uncheck_ “Allow participants to unmute themselves”:

Zoom Meeting Settings: Allow Participants to Unmute

 

You can stop a Participant’s video stream at any time during the meeting: in the Participants area, click on the video camera icon next to the person’s name so the icon is crossed out:

Zoom Meeting Settings: Stop Participant Video

If that Participant has not started their video, this option will show up as “Ask to Start Video”.

 

Prevent Participants from Sending Files in Chat

Toggle this ability for Participants in Profile settings, under "In Meeting (Basic)". 

If you do set your Profile to allow file transfers, you can still limit the types of files that can be sent through the Chat area:
Zoom Profile Settings: Control Permitted FIletypes

 

Prevent Participants from Saving a Local Recording

You may need to prevent any recordings being made of your Meeting, other than what you directly control; you can disable the ability of Participants to make a local recording of the Meeting. (Attendees do not have access to start a cloud recording.) In the Participants area, hover over a Participant name and click “More” to expand the options:

Zoom Meeting Settings: Prevent Local Recording

Make sure the “Allow Record” option is unchecked.

 

How to Report an Incident of “Zoombombing”

If you have experienced an incident of “Zoombombing,” know that the OSU takes these incidents quite seriously; the team investigates all reports received. It is extremely beneficial for the ODTI staff to capture as much information as possible, to facilitate getting ahead of these disruptions. Remember that all such incidents are a problem with the disruptors, not you – and ASCTech works with ODTI to ensure that your Zoom meetings are as problem-free as possible.

 

Gather as Much Information as Possible

In these cases, more information is better; if you are able, please note down the following details (both from your own Profile settings and from the individual Meeting settings):

  • The Zoom meeting ID(s) and date/ time details, if the meeting information still exists (OTDI understands that sometimes a user may have to delete a meeting to stop the harassment as quickly as possible);
  • Whether a cloud or local recording was made, and can be provided to the OTDI team;
  • Whether the chat transcript is still available (these files are always local);
  • Any and all details you can provide about both your own Profile settings, and settings relating to the Meeting itself (again, this helps OTDI to continue to monitor and develop methods to zoombombers’ getting access in future);
  • Any other details you want to share about what transpired, and/or anything that you think would be helpful to OTDI.

 

Submit an ASCTech Ticket

If you can, please create a ticket for ASCTech with all of the above information; however, if submitting a ticket is not possible, a phone call to your local ASCTech support personnel is also appropriate. With the report information you provide, the OTDI team responsible for handling these incidents will respond directly, and also escalate to the Office of Inclusion and Equity (OIE), as well as IT Security.

 

Details

Details

Article ID: 102702
Created
Tue 3/24/20 10:51 AM
Modified
Tue 11/14/23 5:12 PM