ITS Online»Room Tech & Conferencing»Zoom Security Guidelines

Zoom Security Guidelines

In response to worries about “Zoombombing” (see here and here), ITS has implemented several changes for all Penn Law Zoom accounts and established guidelines for best practices.

Recent Changes (as of April 3rd):

1. All new meetings now default to requiring a password

  • The password is included in the meeting invitation that Zoom generates. The “Join” URL generated in the invitation includes the password, so users just need to click that link to join the meeting.
  • Keep the password as numbers only make it easy for participants connecting via phone to use the password. If you change your password to include letters, a separate numeric password will be generated in the invitation for phone users to use.

2. Annotation is “off” for all users

  • If you would like to use annotation, follow these instructions to enable annotation on your account.

3. Screen-sharing by participants is “off” by default

  • To enable screen sharing for a participant, make that participant a Co-Host of the meeting

4. File Sharing is disabled

Best Practices for Meetings and Webinars

When scheduling a meeting or webinar, we recommend you sign in with your credentials on the web portal at zoom.us instead of using the Zoom client app on your computer. The web portal gives you access to advanced features that aren’t available when scheduling using the Zoom client app.

Passwords

One of the best security measures we can use to protect ourselves against Zoombombing is enabling passwords for meetings and webinars.

  • Passwords are enabled by default when creating and scheduling new meetings through the Zoom account provided to you by ITS
  • Passwords can be changed to any password of your choosing by editing the meeting through the web portal at zoom.us
  • Invite links will contain the password in the link so users will not need to enter the password manually

There are a few important things to keep in mind when it comes to passwords

  • Sharing a link that contains a password with an unauthorized user/on a public facing site or page will not stop unauthorized users from joining (see more about sharing links below)
  • Sharing the meeting ID and password together will also not stop unauthorized users from joining
  • The password feature is to protect against the practice known as War Dialing - using a computer algorithm to find meeting IDs
  • You can find more information on War Dialing from this page

Sharing Links

Combined with the use of passwords, the most important step we should take to protect our meetings is to make sure that only users who are invited to the meeting have the link

  • Links should never be shared with people who will not be participating in the meeting or webinar
  • Links should never be posted on public facing sites or pages

Keeping our Zoom meeting links private will ensure that no unauthorized users will ever be able to join our meetings.

Use private methods of sharing and distributing such as;

  • A dedicated Slack channel or Teams page
  • Email can be used for non-Penn affiliated staff, students, or other guests - but be sure to inform them in the email to never share the meeting details or forward the email to unauthorized users

Registration

Registration is another great tool to prevent unauthorized access to Zoom meetings and webinars. Registration offers the following benefits;

  • Ensures that only registered participants will be given the meeting/webinar link
  • Prevents bots or software programs from signing up via the registration link
  • Hosts can vet participants before approving them (before Zoom sends the registrant a link) by enabling the Manual Approval feature
  • You can delay sending the meeting link until a day of your choosing to mitigate the possibility of someone accidentally sharing the link publicly online

Despite registration sounding like an event or webinar feature, it is available for both meetings and webinars. For use with a meeting, please make sure to use the generated meeting ID and not your Personal Meeting ID (PMI).

Zoom has a very helpful guide on setting up registration for meetings here.

For Webinar registration, click here.

Locking Meetings and Webinars

Locking meetings after all attendees have joined is the best way to prevent unauthorized access after the meeting has already started.

  • As the Host or co-host, click Participants to bring up the list of all participants
  • Click on the button labeled “More” in the lower right hand corner of the participants window
  • Click the option “Lock Meeting”
  • You will get a pop up message saying, “No new attendees can join this meeting once locked.”
  • Click OK

This will prevent any unauthorized user who somehow obtained the meeting ID and password from joining.

Additional Considerations

  • Consider turning participant Chat off
    • Click on “Chat,” then click the “More.” Under “Participants can chat with” select “No One”
  • Consider disallowing anonymous questions
    • On the webinar settings, select the “Q&A” tab. Click “edit” and uncheck “allow anonymous questions.”
  • Consider turning off the Social Media links on your registration page
    • On the Webinar settings on the web, navigate to “Approval Options,” then click “Edit” De-select “Show social share buttons on registration page”
  • Disallow “Allow attendees to join from multiple devices”

What to do if an Unauthorized User Joins Your Meeting

As the Host or co-host, you have certain privileges to prevent unauthorized users from disrupting your meeting.

By default, screen sharing is set to Host only, so you won’t have to worry about inappropriate content being screen shared.

  • You can unilaterally mute all participants from the Participant window
    • Click “Mute All” at the bottom of the window (this can be used as a quick first step/counterattack to prevent the unauthorized user from saying inappropriate content)
  • You can eject the unauthorized user from the meeting/webinar
    • Hover over the user’s name in the Participant’s window, click “More” and then click Remove
  • Lock the meeting immediately after removing an unauthorized user - this is imperative to prevent them from joining again

It’s a good idea that the host and all co-hosts are aware of these features so that an unauthorized user can be quickly removed.

 

As always, please reach out to us at itsmedia@law.upenn.edu with questions. We continue to hold daily trainings on Zoom, as well as Panopto for pre-recorded videos.

See here for general information on managing calls in Zoom: https://www.law.upenn.edu/its/zoom-schedule/index.php

Latest Tips