Zoom Security Best Practices

Zoom bombing is the anti-social act of joining a Zoom meeting with the intent to disrupt or offend. A meeting is either pre-targeted or joined at random. Unfortunately, such attacks are all too common. However, there are many ways to protect oneself when setting up and running a Zoom meeting.

Within the meeting, there is a “security” icon in the taskbar with some commonly used security features:

  1. The waiting room feature is one of the better security features. If this is turned on, each participant has to be approved by the host before entering the room. If you are unsure of the person joining, you can chat with them prior to allowing them entrance. If you do not get the prompt to do so, open up the “participants panel” and click “Message” next to their name.
  2. When all your expected attendees are in the room, it is a good idea to “lock meeting” to prevent anyone else from joining.
  3. Always allow participants the minimum number of privileges needed to run the meeting effectively. For example, it is likely that no-one other than the host will be sharing their screen, so there is no need to allow participants the option to do so.
  4. If the worst happens, rather than ending the meeting you can click “Suspend Participant Activities.” This will turn off everybody’s video and audio and stop screen sharing. It will also automatically lock the meeting. This will give you time to assess the situation and determine if you want to continue. You can also then kick out the malefactor: From the participants panel, hover over the person in question, click “more” and then “remove.”

Add “registration required” to the meeting. This option is available when creating or editing the meeting. In theory, a bad actor can still register and join, but it introduces enough friction that most would not. It also allows you to gain an understanding of who will be attending ahead of time.

Harvard Zoom accounts set passwords on new meetings as standard. To double check that the meeting is password protected, take a look at the meeting link. It should have a section at the end with the phrase “?pwd=” in it. Many Zoom bombers will randomly join meetings by typing random meeting IDs into Zoom. This feature is a good first defense as such individuals would not know this password without prior knowledge of the link. Never share meeting links publicly or this becomes null and void.

If hosting a large public event, it is recommended that you host this as a webinar. A webinar splits the audience into pre-approved “panelists” who have control over their microphone and webcam, and “participants” who do not. Because participants have no control over their mic or webcam without permission from the host, there is very little potential for disruption. Setting up a webinar requires an additional license available from HUIT. Please contact Marcus Mayo for more information if interested in using the webinar platform.