Securing your Zoom Meetings

Background

In recent times, there have been numerous reported cases of “Zoombombing” during class sessions and other online meetings. “Zoombombing” refers to an uninvited guest or guests gaining access to a session, in which they typically share racist, misogynistic, and/or vulgar content via Zoom’s in-meeting features such as screen sharing and chat. To help prevent these scenarios, please refer to the settings and in-meeting host controls listed below to further secure your online sessions.

  • Desktop Client and Release Notes
  • In-Session Security Options
  • Other Host Controls During a Meeting
  • Meeting Settings
  • Desktop Client and Release Notes

    To access and utilize the newest settings and security features provided by Zoom, it is important to have the latest version of their desktop client. Additionally, please take the time to review Zoom’s release notes as they contain important updates, setting changes, and other feature/enhancement announcements.

    Checking your Desktop Client’s Version

    1. Open your Zoom desktop client.
    2. Click on your profile picture (or initials if you do not have a profile picture set).
    3. Select Check for Updates.
    4. If your desktop client is up-to-date, no further action is needed. If you client is out-of-date, you will be able to download and install the most recent version from here. You can also view the most recent release notes by clicking on the Release Notes hyperlink.
    5. The latest Zoom desktop client can also be downloaded by visiting the Zoom Download Center.

      Please Note: If you are unable to download and install the update due to the lack of administrative privileges on your machine, please contact your LAN Administrator or Desktop Support team.

    Release Notes

    Zoom’s most recent release notes can be viewed by visiting their Release Notes page.

    In-Session Security Options

    The new security icon found in your meeting controls allows both the host and co-host to enable and disable features during the meeting to further secure it and minimize potential disruption. While most of these features can be controlled from your user settings (which applies to all meetings by default), the security icon combines them all in one place for easy access during your online sessions.

    Lock Meeting

    • What does it do?
      • This feature allows the host and co-host to prevent anyone else from joining the meeting, even if they have the meeting ID and password.
    • How do you set it up?
      • Simply click the Lock Meeting button and new participants will not be able to join your meeting. To unlock, click Lock Meeting again. You can also refer to Zoom’s support page for In-Meeting Security Options (Zoom Desktop Client 4.6.10 or later)
    • How secure is it?
      • New participants will not be able to join the meeting.
    • JHU’s Recommendation
      • Lock Meeting: This feature is ideal for meetings where the host wants to prevent interruptions or where sensitive information may be shared.

    Waiting Room

    • What does it do?
      • The Waiting Room feature allows the host to control when a participant joins the meeting. As the meeting host, you can admit attendees one by one or hold all attendees in the waiting room and admit them all at once. When this feature is enabled, you will have a “Waiting Room” section under your participants list. From there, you can admit the participants into your meeting.
    • How do you set it up?
      • First, you will need to click Enable Waiting Room to activate it.
      • Once selected, you will have to manage the Waiting Room throughout the duration of the meeting in case of late comers or drops needing re-entry.You can find the Waiting Room under the participant list.
      • Please refer to Zoom’s support page for Waiting Room.
    • How secure is it?
      • The Waiting Room feature does give more control to the host as it allows them to decide who to admit into the session.
    • JHU’s Recommendation
      • If you use Waiting Room, screen your attendees.

    Remove Participant

    With the Remove Participant feature, the host or co-host can dismiss a participant from the meeting. The user(s) removed will not be able to rejoin unless you have the “Allow removed participants to rejoin” setting enabled. Once you select “Remove Participant…”, a red Remove button will be displayed next to each participant in the list. Click this button to dismiss that particular attendee.

    Report a Participant

    As part of Zoom’s new in-meeting security features, the host and/or co-host can now report a particular participant during a meeting. The meeting host/co-host will be able to select which participants they’d like to report, including any written details on why they are being reported, as well as any applicable attachments. The report will then be sent to the Zoom Trust and Safety team to evaluate any misuse of the platform and block the user if deemed necessary.

    1. During your session, click the Security icon in the meeting controls bar.
    2. Select Report… from the available options.
    3. You will then be prompted with the Report Form where you will include the name of the participant, the problem you were facing, and any additional comments and information. You can also include attachments and a screenshot of your desktop.
    4. Click Send when you have finished completing the report.

      Please refer to Zoom’s support page for Reporting Participants for more information on this feature.

      Allow participants to (when selected):

      Share Screen – Allows your participants to share their computer screens.
      Chat – Allows your participants to use the built-in chat window.
      Rename Themselves – Allows your participants to rename themselves from the Participants panel.

      For a video tutorial of the new in-meeting security icon features or for additional information on this enhancement, please refer to Zoom’s support page for In-Meeting Security Options

      Other Host Controls during a Meeting

      These settings are configured via the Host and Co-Host controls during a meeting.

      Mute All and Unmute All

      • What does it do?
        • You can mute all participants that are already in the meeting as well as new participants joining the meeting.
      • How do you set it up?
        • Please refer to Zoom’s support page for Mute All and Unmute All.
        • When you mute all participants, you can also choose whether to allow them to unmute themselves. The default option is ‘Allow participants to unmute themselves’
      • How secure is it?
        • By default, participants can unmute themselves.
        • If you choose not to “Allow participants to unmute themselves”, then when participants try to unmute, they will get prompted “You cannot unmute yourself as host has muted all attendees”.
      • JHU’s Recommendation
        • Mute participants upon entry: Participants can unmute themselves when it is time for them to talk.

      Screen Sharing – Who can Share?

      • What does it do?
        • Zoom allows for screen sharing on desktop, tablet and mobile devices running Zoom.
          • The host and attendee can screen share by clicking the Share Screen icon.
          • The host does not need to grant screen share access for another participant to share their screen.
          • The host can prevent participants from accessing screen share.
      • How do you set it up?
        • During a meeting, the host can enforce Host Only sharing or allow All Participants.
        • Please refer to Zoom’s support page for Host and Co-Host Controls in a Meeting
        • During a meeting, scroll down to the Screen Share section.
        • Screen Share controls (click the next to Share Screen): Select who can share in your meeting and if you want only the host or any participant to be able to start a new share when someone is sharing.
      • How secure is it?
        • This change would only affect the running meeting.
        • Participants, on trying to share, will be told “Only the host can share in this meeting”.
        • Hosts/Co-Hosts can still automatically share.
        • You could promote a participant to Co-Host temporarily in-meeting to allow sharing.
      • JHU’s Recommendation
        • Restrict sharing to host/co-host only: Allow participants to share as needed.

      Meeting Settings

      These settings are typically configured during the creation of a meeting creation or under your user settings.

      Meeting Password:

      • What does it do?
        • In November 2019, we configured our Zoom instances to require a meeting password (New Setting: Password Required for Meetings)
        • All newly scheduled Zoom meetings, instant Zoom meetings, and Personal Meeting ID (PMI) meetings (where Join Before Host is enabled) will require a password by default.
        • The meeting password must meet these requirements:
          • 10 characters maximum
          • Passwords are case sensitive
          • We recommend using alphanumeric characters and these special characters:  @ * _ –
          • The Zoom desktop client allows alphanumeric characters and these special characters: @ * _ –
          • The Zoom desktop client allows alphanumeric characters and these special characters: @ * _ –
      • How do you set it up?
        • For scheduled meetings, the meeting password will be in the invitation. For instant meetings, the password will be displayed in the Zoom Client or on the Zoom Rooms Controller. The password is also included in the meeting join URL For more information, please see Zoom’s Support page on using meeting passwords.
      • How secure is it?
        • The (encrypted or hashed) password  is included in the meeting join URL
        • Example:  https://jhjhm.zoom.us/j/123456789?pwd=cUpYWGRHY0JicEFrTWc0L2p3aXJ5UT09
        • If participants are given that meeting join URL, they can join without needing to enter the meeting password.
        • Note, that pwd string in the URL (e.g., cUp…) is NOT the actual meeting password.  This can cause confusion.
        • If participants are only provided with the meeting ID (e.g., https://jhjhm.zoom.us/j/123456789 or 123-456-789), THEN they would be prompted to enter the meeting password.
      • JHU’s Recommendation
        • Require a password: For increased security to reduce the threat of “Zoombombing”, consider requiring a password for students to join the meeting.
        • Do not share your Invitation link publicly: You can either email the link to your students or post it in your Blackboard course.

      Join Before Host vs Waiting Room

      • What does it do?
        • Join Before Host – Join before host allows attendees to join the meeting before the host joins or when the host cannot attend the meeting. If you select join before host, then the participants can join the meeting before the host joins or without the host.
        • Waiting Room – The Waiting Room feature allows the host to control when a participant joins the meeting. As the meeting host, you can admit attendees one by one or hold all attendees in the waiting room and admit them all at once. You can send all participants to the waiting room when joining your meeting or only guests, participants who are not on your Zoom account or are not signed in.
      • How do you set it up?
      • How secure is it?
        • This is set per meeting, not across all meetings, so you can have different options for different meetings depending on your use case.
        • Join Before Host would not be very secure, as it is meant to let participants into a meeting without a host.
        • The Waiting Room feature does give more control to the host as it allows them to decide who to admit into the session.
      • JHU’s Recommendation
        • Determine per meeting whether you want to utilize Join Before Host or Waiting Room.
        • If you use Join Before Host, require a meeting password. 
        • If you use Waiting Room, screen your attendees. 

      Mute Participants Upon Entry

      • What does it do?
        • This meeting setting will automatically mute all participants when they join the meeting. The host controls whether participants can unmute themselves.
      • How do you set it up?
        • Please refer to Zoom’s support page for Changing your meeting settings.
        • Under Personal > Settings > Meeting tab, scroll down to Mute Participants Upon Entry.
        • Toggle the option from ‘Off’ (default) to ‘On’.
        • For existing meetings, please visit Zoom’s support page for managing your meetings.
      • How secure is it?
        • This is set per meeting, not across all meetings, so you can have different options for different meetings depending on your use case.
        • While this feature mutes participants when they initially enter the meeting, it DOES NOT prevent them from unmuting.  If you want to prevent participants from unmuting you will have to do that via in-meeting controls (see below),
      • JHU’s Recommendation
        • Mute participants upon entry: Participants can unmute themselves when it is time for them to talk.

      Screen Sharing – Who can Share?

      • What does it do?
        • Zoom allows for screen sharing on desktop, tablet and mobile devices running Zoom.
          • The host and attendee can screen share by clicking the Share Screen icon.
          • The host does not need to grant screen share access for another participant to share their screen.
          • The host can prevent participants from accessing screen share.
        • Sharing of screen, by default, is given to All Participants upon entry into the meeting. Sharing includes Annotation and Whiteboard functionality. However, you can change this meeting default.
      • How do you set it up?
        • Please refer to Zoom’s support page for Changing your meeting settings.
        • Under Personal > Settings > Meeting tab, scroll down to Screen Sharing.
        • Change Who can share? from ‘All Participants’ (default) to ‘Host Only’.
        • Save the change.
      • How secure is it?
        • This change would affect all your existing meetings.
        • Participants, on trying to share, will be told “Only the host can share in this meeting”.
        • Hosts/Co-Hosts can still automatically share.
        • You can change this in-meeting (see In-Meeting Screen Sharing) if you want All Participants to share.
        • Or you could promote a participant to Co-Host temporarily in-meeting.
      • JHU’s Recommendation
        • Restrict sharing to host/co-host only: Allow participants to share as needed.