When scheduling a meeting or webinar, we recommend you sign in with your credentials on the web portal at zoom.us instead of using the Zoom client app on your computer. The web portal gives you access to advanced features that aren’t available when scheduling using the Zoom client app.
One of the best security measures we can use to protect ourselves against Zoombombing is enabling passwords for meetings and webinars.
- Passwords are enabled by default when creating and scheduling new meetings through the Zoom account provided to you by ITS
- Passwords can be changed to any password of your choosing by editing the meeting through the web portal at zoom.us
- Invite links will contain the password in the link so users will not need to enter the password manually
There are a few important things to keep in mind when it comes to passwords
- Sharing a link that contains a password with an unauthorized user/on a public facing site or page will not stop unauthorized users from joining (see more about sharing links below)
- Sharing the meeting ID and password together will also not stop unauthorized users from joining
- The password feature is to protect against the practice known as War Dialing - using a computer algorithm to find meeting IDs
- You can find more information on War Dialing from this page
Combined with the use of passwords, the most important step we should take to protect our meetings is to make sure that only users who are invited to the meeting have the link
- Links should never be shared with people who will not be participating in the meeting or webinar
- Links should never be posted on public facing sites or pages
Keeping our Zoom meeting links private will ensure that no unauthorized users will ever be able to join our meetings.
Use private methods of sharing and distributing such as;
- A dedicated Slack channel or Teams page
- Email can be used for non-Penn affiliated staff, students, or other guests - but be sure to inform them in the email to never share the meeting details or forward the email to unauthorized users
Registration is another great tool to prevent unauthorized access to Zoom meetings and webinars. Registration offers the following benefits;
- Ensures that only registered participants will be given the meeting/webinar link
- Prevents bots or software programs from signing up via the registration link
- Hosts can vet participants before approving them (before Zoom sends the registrant a link) by enabling the Manual Approval feature
- You can delay sending the meeting link until a day of your choosing to mitigate the possibility of someone accidentally sharing the link publicly online
Despite registration sounding like an event or webinar feature, it is available for both meetings and webinars. For use with a meeting, please make sure to use the generated meeting ID and not your Personal Meeting ID (PMI).
Zoom has a very helpful guide on setting up registration for meetings here.
For Webinar registration, click here.
Locking Meetings and Webinars
Locking meetings after all attendees have joined is the best way to prevent unauthorized access after the meeting has already started.
- As the Host or co-host, click Participants to bring up the list of all participants
- Click on the button labeled “More” in the lower right hand corner of the participants window
- Click the option “Lock Meeting”
- You will get a pop up message saying, “No new attendees can join this meeting once locked.”
- Click OK
This will prevent any unauthorized user who somehow obtained the meeting ID and password from joining.
Consider turning participant Chat off
- Click on “Chat,” then click the “More.” Under “Participants can chat with” select “No One”
- Consider disallowing anonymous questions
- On the webinar settings, select the “Q&A” tab. Click “edit” and uncheck “allow anonymous questions.”
- Consider turning off the Social Media links on your registration page
- On the Webinar settings on the web, navigate to “Approval Options,” then click “Edit” De-select “Show social share buttons on registration page”
What to do if an Unauthorized User Joins Your Meeting
As the Host or co-host, you have certain privileges to prevent unauthorized users from disrupting your meeting.
By default, screen sharing is set to Host only, so you won’t have to worry about inappropriate content being screen shared.
- You can unilaterally mute all participants from the Participant window
- Click “Mute All” at the bottom of the window (this can be used as a quick first step/counterattack to prevent the unauthorized user from saying inappropriate content)
- You can eject the unauthorized user from the meeting/webinar
- Hover over the user’s name in the Participant’s window, click “More” and then click Remove
- Lock the meeting immediately after removing an unauthorized user - this is imperative to prevent them from joining again
It’s a good idea that the host and all co-hosts are aware of these features so that an unauthorized user can be quickly removed.