Zoom Security Guide

There are a number of measures that one can use to secure a Zoom meeting from intruders. The university has selected a default configuration that balances ease of use with security. Individual users can change settings for their own profiles or for each meeting. Users are encouraged to exercise caution when changing default settings.

Upgrade your Zoom client to 5.0 now. After May 30th, all Zoom clients will receive a forced upgrade to 5.0 when attempting to join meetings.

Protect the Meeting URL

The Meeting URL basically provides those who have it with access to a meeting. Protecting the URL is the first step in securing a meeting.

Scheduling a Meeting
  • Use your N.C. A&T issued Zoom account to schedule meetings. Do not use Facebook.
Sharing the URL
  • Limit access to the URL. Only share it with those who need access. If you post it, do so in a secure location such as a Blackboard course message or an Office 365 Calendar invitation.
    • For added protection, only distribute the URL a few minutes before the meeting.
  • Do not place Zoom meeting details in a public forum such as a web page or Facebook.
    • If you must have an open meeting, please follow the additional guidelines below to secure the meeting.

 

Meeting Passwords

Passwords provide a means of limiting access to a meeting. For ease of use, passwords are often hashed and embedded in the Meeting URL. Hashing protects the password but it is still critically important to protect the Meeting URL.

Password Settings
  • Passwords are now required for all new Zoom meetings. Individuals can change this setting in their profile or for each meeting. Please change this only if you are certain the Meeting URL can be protected.
  • Passwords for new meetings are embedded in the URL. By default, the password is embedded in the meeting URL and anyone with the URL can join the meeting. Users can override this setting in their own profile or in individual meeting setup.
  • Removing the password from the URL. If a user has a concern about the security of a meeting, they are encouraged to disable the embedded password (but not the password itself) and use one of more of the following suggestions. Note that participants will be required to enter the meeting password to join the meeting.
    • Remove the password from the meeting invitation.
    • Do not share the password until shortly before the meeting begins.
    • Or change the password and share the new password shortly before the meeting begins.
    • Use additional measures below to further secure the meeting.

 

Additional Meeting Settings

In addition to passwords, these settings provide additional protection.

Cameras
  • Cameras are off by default. Participants can turn their cameras on when they join a meeting.
    • The host can turn off a participant’s video and request the participant to start their video after it has been turned off.
    • The host can only turn off one participant’s video at a time.
Microphones
  • Microphones are muted by default. Participants can unmute their microphones when they join.
    • Hosts can mute all participants at any time, and can prevent participants from unmuting their mics.
    • For added protection, hosts can use a waiting room to admit participants to the meeting. Hosts can join first and adjust the meeting settings to prevent participants from unmuting their mics. This setting cannot be changed in advance.
 Join Before Host
  • The Join before Host option has been turned off. Participants cannot join before the host.
    • For added protection, hosts can use a waiting room to admit participants to the meeting after the host joins.
Waiting Rooms
Screen Sharing
  • Screen Sharing has been limited to HOST ONLY.
    • Hosts can allow individual users to share their screen.
    • Hosts can allow all allow participants to share their screens by clicking on the ^ to the right of Share Screen in the Zoom tool bar during your meeting and select All Participants.
File Transfer
Lock Meeting
  • The Lock Meeting option is available to the host.  Once a meeting has started, the host can lock the meeting and no additional attendees can join.
    • If a participant drops out after the meeting is locked, they will not be able to rejoin.
Authenticated Users
  • The Only Authenticated Users Can Join option is disabled by default. This option only requires a participant to authenticate via Zoom and would not prevent an intruder from joining if they have a Zoom account.

 

Maximum Security

To maximize the security of a Zoom meeting, use the steps below.

  • Limit access to the Meeting URL.
  • Do not embed the password in the Meeting URL.
  • Do not distribute the password with the invitation.
  • Change the password and distribute it shortly before the meeting.
  • Keep the Join Before Host option off.
  • Keep Screen Sharing for Host Only option on.
  • Keep the File Transfer option off.
  • Use waiting rooms to admit participants.
  • Join the meeting as the host and prevent participants from unmuting themselves before admitting anyone.
  • Lock the meeting after all participants join.

 

What to do if a meeting is Zoombombed?

If a meeting is Zoombombed (an intruder joins and begins to share inappropriate content), the host must take action to regain control or close the meeting.

In large meetings, it can be difficult to identify intruders in the participant list in order to stop their video. In these situations, it might be best to close the meeting and reconvene with a different Meeting ID and password. 

To regain control, the host can take these steps:

  • Use the Manage Participants window to prevent participants from unmuting themselves.
  • Mute all participants.
  • Stop the video of the intruder(s).
  • Remove the intruder(s).
  • Lock the meeting.

Please report the incident to InformIT@ncat.edu.