Video Conferencing - Applying Best Practices for Zoom Security


Introduction

Zoom is a versatile video conferencing tool that unifies cloud video conferencing, simple online meetings, group messaging, and a software-defined conference room solution into one easy-to-use platform. You can host and join Zoom video conferences from your computer, tablet, or smartphone. 

The Zoom Help Center has full instructions on using Zoom. The instructions below are specific to Virginia Tech. To see other Zoom topics, please see Video Conferencing - Holding Zoom Conferences on a PC or Mobile Device.

Zoom has a plethora of security settings that allow hosts of meetings to ensure that their meetings are secure and provide a safe environment. Security features are available for use before and during hosted meetings.

Contents

Instructions

About Zoom Bombing

Zoom bombing is when someone joins your meeting uninvited and says, shows on video, or writes in chat inappropriate, threatening, racist/sexist messages. The following meeting types are susceptible: 

  • Meetings where the join URL or meeting ID is posted online.
  • Meetings where the meeting ID has been bombed before (it's a known target).
  • Meetings open to the public but without meeting registration.
  • Meetings without waiting rooms.
  • Meetings without passcodes.
  • Meetings where people not logged into Zoom or Virginia Tech Zoom can join.

Zoom bombers are typically groups of bad actors who obtain and share meeting information and coordinate their attacks.

  • Once your meeting has been disrupted, it's very difficult to remove every attacker and regain control. It's best to abandon the meeting. 
  • Zoom bombers are rarely Virginia Tech affiliates, so Virginia Tech authorities like Virginia Tech Police Department, Human Resources, and Student Affairs cannot enforce consequences.
  • Law enforcement can only act if physical threats were made. 

Zoom security settings can prevent Zoom bombing attacks! 

Top of page

Utilizing Zoom Security Settings

Secure future meetings by setting secure default settings for new meetings in your Zoom profile and choosing secure settings when scheduling meetings. Utilizing these features will help prevent Zoom bombing and prevent unauthorized access to your meetings. 

  • All meetings will be require one of three security options by default: waiting rooms, passcodes, or only authenticated users can join. 
  • Additional settings related to security are meeting registration, meeting recording, and random Meeting IDs. 
Waiting Rooms

Waiting rooms let you look at who wants to join your meeting before you let them in. All meetings have waiting rooms set by default. 

  • Participants joining the meeting are placed in a waiting room.
  • Hosts admit participants one at a time or all at once.
  • Hosts can put participants back in the waiting room.
  • If waiting rooms are enabled, join before host will not work. 
  • Webinars do not support Waiting Room. Use a webinar practice session as an alternative.

To edit your waiting room rules: 

  1. Log in to the Zoom web portal.
  2. In the navigation menu, click Settings.
  3. Under the Security section, the Waiting Room feature will be automatically enabled. 
  4. Click Edit Options to select who you want to admit to the Waiting Room.
    • Everyone: All participants joining your meeting will be admitted to the Waiting Room. 
    • Users not in your account: Only participants who are not on your Zoom account or are not logged in will be admitted to the Waiting Room. If not logged in, they will have an option to log in. 
    • Users who are not in your account and not part of the allowed domains: Users who are on your account or signed in to a Zoom account at the domains you list will bypass the Waiting Room. After selecting this option, enter the domain(s) here, separating multiple domains by a comma. 
Passcodes

There are two ways to join a Zoom meeting - by entering the Join ID or using a meeting invitation URL. 

  • Passcodes prevent someone from entering your Join ID and accessing your meeting without the passcode. 
  • Passcodes are included in the meeting invitation URL. Do not share your invitation URL on the Internet. 
Authentication Profiles

Authentication profiles allow you to restrict the meeting to one of the following: 

  • Need to be signed into Virginia Tech
  • Need to be signed into Zoom

Need to be signed into Virginia Tech is the most secure authentication profile. If you have a non-VT guest speaker, you can add them as an exception. The participants added as an exception will receive unique meeting invite links and bypass authentication. See How to add authentication exceptions

Meeting Registration

You can require attendees register before the meeting.

Recording and Chat logs

It is easier to investigate interruptions captured in Zoom cloud recordings and in meeting chat. 

Meeting ID

Do not use your personal meeting ID for public or recurring events.

  • Once meeting IDs are shared online, it's easier for an attacker to strike again.  
  • Use random, Zoom generated meeting IDs instead.  

Top of page

Account Security Settings

Your account has security settings that you can modify to improve the security of meetings and webinars.

Setting Account Security Settings
  1. Go to the Virginia Tech Zoom Web Portal and click Sign in
  2. Log in with your PID and passphrase. You'll go to your Meetings by default. 
  3. Click Settings. It will default to the Meetings tab in the Security section. 
    Image of the above instructions
  4. Keep Require that all meetings are secured with one security option enabled. This ensures cannot accidentally override security settings and hold an insecure meeting. 
  5. Enable Waiting Room and click Edit Options. Under Who should go in the waiting room? (instead of joining the meeting directly) choose:
    • Everyone (most secure) if you want all participants to first go to the waiting room. 
    • Users not in your account if you only want non-VT people to go in the waiting room. VT people will be prompted to log in.
    • Users who are not in your account and not part of the allowed domains if you only want non-VT people and people not in domains you list to go to the waiting room.
  6. There are six (6) passcode settings:
    • Enable Require a passcode when scheduling new meetings.
    • Enable Require a passcode when scheduling new meetings.
    • Enable Require a passcode for instant meetings.
    • Enable Require a passcode for Personal Meeting ID (PMI) and All meetings using PMI.
    • Enable Require passcode for participants joining by phone.
    • Only enable Embed passcode in invite link for one-click join if you will never post your meeting invitation link publicly. If you post it publicly, require registration and send the passcode to registrants separately. 
  7. Enable Only authenticated users can join meetings. When you schedule meetings, you can choose from the three authentication options:  
    • Need to be signed into Zoom: Anyone signed into any Zoom account can join. 
    • Need to be signed into Virginia Tech Zoom: Only those signed into Virginia Tech Zoom can join.
      • You can add individual non-VT email addresses as exceptions. See Adding authentication exceptions (users)
      • Regarding phone users, choose the setting that aligns with your typical Zoom attendees. 
  8. Enable Only authenticated users can join meetings from Web client
  9. Most Zoom bombing attacks originate in the U.S., but you can choose to enable Approve or block entry to users from specific regions/countries.
  10. These are the most secure account settings:
    Image of the above instructions

Top of page

Scheduling Secure Meetings

  • When you schedule a new meeting, it will have your account setting by default. 
  • You can change settings for individual meetings. 
  • The Virginia Tech Zoom Web portal has more scheduling settings than the Zoom client. 
Configuring Security Settings in the Zoom Portal

To schedule a meeting:

  1. Log into the Virginia Tech Zoom Web portal.
  2. Click Meetings, then click Schedule a Meeting
  3. Enter the Topic, Description, date and time, and recurrences. 
  4. Meeting settings related to security start with Registration

We suggest these settings: 

  1. Registration - Requiring registration means participants must register to be able to join the meeting once it starts. Hosts can screen participants or have Zoom approve them automatically. 
    • If your meeting includes members of the public, check Required next to Registration
  2. Meeting ID - Check Generate Automatically. Randomly generated passwords are harder to guess. 
  3. Security - You must choose at least one Security option. We recommend you choose more than one.
    • Meeting Passcode - Require a passcode. Passcodes are included in the invitation URL. Participants joining by URL need not enter a passcode. Only participants joining by Meeting ID enter passcodes. 
    • Waiting Room - Participants join a waiting room before entering the meeting. The host then admits them to the meeting. 
    • Only authenticated users can join. Choose the most secure profile that will meet your needs:
      • Need to be signed into Virginia Tech (most secure!): participants must be Virginia Tech affiliates signed into VT Zoom. 
      • Need to be signed into Zoom: participants must be signed into a Zoom account to join the meeting.
  4. Video - Turn on host video and turn off participant video. You can allow participants to share video during the meeting. 
  5. Audio - Choose how participants can join. Restrict where participants can dial in from. 
  6. Meeting Options
    • Allow participants to join anytime - Uncheck this to prevent participants from joining before you. 
    • Must participants upon entry - Check.
    • Automatically record meeting - It's easier to investigate interruptions if the meeting was recorded. 
    • Approve or block entry to users from specific regions/countries - Check to choose which countries to either allow or exclude. Save
  7. Choose a Purpose (required).
  8. Save
  9. These are the most secure meeting settings: 
    Image of the above instructions
Configuring Security Settings in the Zoom Client

The Zoom client has fewer meeting scheduling than the Zoom web portal. To schedule a meeting, click Schedule on the Home screen. 

We suggest: 

  • Meeting ID - Set to Generate Automatically. Randomly generated meeting IDs are harder to guess.
  • Passcode - Set your own passcode or use Zoom's 
  • Video - Turn on host video but turn off participant's video. They can turn on video after they join. 

    Image of the above instructions
Configuring Security Settings in Zoom from Canvas

See Best Practices for Zoom Meetings to learn how to schedule class meetings through Canvas.

Top of page

Other Preventative Actions to Improve Security

These preventative actions are recommended in order to increase the security of your scheduled meetings.

Updating your Zoom Client

Older Zoom client versions might not have updated security settings. In the Zoom client, click your icon then Check for Updates

Invitation URL Sharing

Do not share meeting IDs or passcodes via social media. If you must share meeting information on the Internet:

  1. Require registration.
  2. Require a passcode. Don't share the invitation URL or passcode. 
  3. Use authentication profiles to require attendees be signed into Zoom. 
    • Any free Zoom account will work. Most bad actors never sign into Zoom. 
  4. Have a backup plan.
    • Set up a secondary location or meeting you can move to if you're interrupted.
    • Only give known attendees information on the backup session. 
Security Email Alerts

Virginia Tech notifies hosts if their Zoom meeting information is exposed online. 

Top of page

Managing Secure Meetings

Some meeting controls are only available after the meeting begins. 

Meeting Security Settings

At the bottom of the Zoom client, click Security. These are the most secure in-meeting settings:

Image of the above instructions

  • After everyone has joined, click Lock Meeting to prevent unwanted participants. 
  • If the meeting is unlocked, you can Enable Waiting Room to hold new participants. 
  • You can choose to Hide Profile Pictures of participants. 
  • Under Allow participants to, uncheck any boxes to prevent participants from doing those actions. 
Preventing Participants from Turning on Their Video

After the meeting starts, click Participants. Hover over a participant and click More then Stop Video. Repeat for all participants (or have the co-host do so).

Muting Participants

After the meeting starts, click Participants. You can: 

  • Click Mute All.
  • Click the more icon [...] at the bottom right and uncheck Allow Participants to Unmute Themselves
Preventing Participants from Making Annotations
  1. While screen sharing, click More in the controls.
  2. Click Disable Annotation for Others.
    Image of the above instructions
Running Secure Breakout Rooms

Screen sharing cannot be disabled for breakout rooms, so participants can always turn on their audio and video. To prevent and mitigate interruptions, use breakout room monitors: 

  • Host and alternative host monitors can respond to interruptions.
  • Participant monitors can click the Ask for Help (question mark) icon in the breakout room, prompting the host to join the breakout room.

Pre-assign participants to breakout rooms whenever possible and notify host and participant monitors of their role. 

Top of page

Responding to Interruptions

Zoom bombers often coordinate their attacks and repeatedly enter and disrupt meetings. If your meeting has been interrupted, consider immediately ending the meeting. If the community has a safe backup meeting location, move the meeting or event there. Only share the new meeting information with legitimate participants.

To avoid having to end the meeting, click on the below topics to learn how to secure your meeting.

Editing Meeting Security Settings

At the bottom of the Zoom client, click Security. Checking the first three settings is the most secure in-meeting settings.

Image of the above instructions

  • After everyone has joined, click Lock Meeting to prevent unwanted participants. 
  • If the meeting is unlocked, you can Enable Waiting Room to hold new participants. 
  • You can choose to Hide Profile Pictures of participants. 
  • Under Allow All Participants to, uncheck any boxes to prevent participants from doing those actions. 
Stopping Background Noise / Muting All Participants

Click on Participants. Then at the bottom of the participants list, click Mute All.

Image of the above instructions

Locking Annotations
  1. While screen sharing, click More in the controls.
  2. Click Disable annotations for others.

    Image of the above instructions
Suspending Participant Activities

Click Security then Suspend Participant Activities to mute all video and audio, stop screen sharing, end all breakout rooms, and pause recording.

Image of the above instructions

Reporting Participants to Zoom
  1. Click Manage Participants.
  2. The participants window will open to the right of your meeting. 
  3. In the new window, hover over the participant's name and click More.
  4. Click Report...
    Image of the above instructions
  5. In the Report popup, add any other interrupters and let Zoom know What happened? Add a screenshot if you have one and click Submit
    Image of the above instructions
Removing Participants

After reporting them, hover over More again and click Remove. You can remove someone without reporting them, but reporting them helps Zoom prevent future disruptions. 

To allow them to rejoin, see: Allowing Removed Participants or Panelists to Rejoin

Top of page

Getting Help

For instructions on resolving common issues with Zoom, see: Video Conferencing - Troubleshooting Zoom.

For problems logging into Zoom, contact Virginia Tech 4Help:
  • Go to 4Help, log in with your Virginia Tech Username (PID) and passphrase, and click Get Help.
  • Call (540) 231-4357.

For problems using Zoom, contact Zoom Support:

Top of page