Zoom: Security Settings & Best Practices

With so much of the world moving to virtual meetings now, they became a larger security target than ever before. Intruders are finding their way into Zoom sessions and performing activities during the meetings (known as "Zoombombing") which include, but are not limited to: taking control of screen sharing to display inappropriate content, sharing malicious links in the chat, and being disruptive. 

In an effort to protect you and your participants privacy, ITS and our Information Security Team put together a list of recommendations and guidelines to help keep you secure. 

• Remove unwanted participants
• Control screen sharing and chat
• Require St. Thomas authentication 

How to Update to the Latest Version

You will also want to make sure your Zoom software is up to date.  It is a good practice to ensure you have the latest version of software installed and to check for updates regularly. Companies release new features, improvements, and important security patches to protect you in these updates. Please ensure you are using at least version 4.6.10 or higher to have access to the latest features. 

• Update your computer software: Open Zoom. Click your profile picture to select the Check for Updates option.
• Updates for mobile devices: Go to your phone or tablet's app store to update your Zoom mobile app. 

How to remove an unwanted participant from your meeting (least restrictive)

You need the host role to remove an intruder. Be sure to start your meeting as host. Do not join with the participant link that you provided for your participants to join the meeting. 

How to Join as the Host

• For staff and students: Start your meeting at stthomas.zoom.us from your list of scheduled Meetings to join as host.
• For instructors-only: Start your meeting for Canvas-scheduled class meetings from Zoom Pro in Canvas to claim host role.

You must join your meeting with the host role or claim it in-meeting with your host key to remove an intruder.

How to Remove a Participant as a Host:

1. During the meeting, go to MANAGE PARTICIPANTS
2. Hover over the intruder and select More > Remove.
3. Once a participant is removed, they cannot re-enter the meeting.

How to Control Screen Sharing & Chat (medium restrictive)

The following instructions guide you through how to disable screen sharing at the settings level for all meetings

You may allow participants to screen share in-meeting as needed by enabling participant screen share in Advanced Sharing Options.

How to Disable Screen Sharing as your Meeting Default

Before you schedule a meeting, change your settings in the online Zoom portal. 

1. Log in to your Zoom account at stthomas.zoom.us
2. On the left, go to Settings
3. Go to In-Meeting (basic)
4. Scroll down to Screen Sharing
5. Set Who can share? to Host Only (See screenshot below) 
6. Click Save

How to Enable Participant Screen Sharing for Individual Meetings

When you are in-meeting with Participant Screen Sharing disabled as your Settings default, you may enable screen sharing as needed.

1. In your meeting, go to the Security tab.
2. Under "Allow Participants to:" click Share Screen to ensure the check mark is visible.
   

How to Control Chat

Meeting and webinar hosts can control whether participants can chat with everyone, with panelists and the host (for webinars), or only with the host. 

1. Start a meeting or webinar as host. 
2. Click Chat in the Meeting Controls.
   
3. At the bottom of the in-meeting Zoom Group Chat window, click More, and then choose an option for Allow attendees to chat with.
    
   • For meetings, the host can allow attendees to chat with everyone or with the host only. 
     
   • For webinars, the host can allow attendees to chat with no one, with all panelists (including host), or with all panelists and attendees.
     

How to require St. Thomas authentication (highly restrictive)

Prevent anyone who does not have an active St. Thomas account from joining your meeting. You must edit meeting settings (previously scheduled and new) to require authentication.

Zoom settings include the option to turn on the Only authenticated users can join feature which prevents meeting intruders and allows allows only participants with active St. Thomas email accounts to join the meeting.

Important Note: The default will also prevent non-St. Thomas participants such as guest speakers, observers – non-St. Thomas people whom you would like to join -- from joining your meeting. To change the default and allow outside participants, you may edit the
Only authenticated users can join setting to allow other specific email domains (e.g. “umn.edu” or any other email domain) to allow participants with email addresses belonging to that/those domain(s) to join your meeting.

• You cannot allow specific email addresses (e.g. tmsmith@umn.edu). You may only allow the email domain “umn.edu,” to which tmsmith@umn.edu is a part of. Just like all St. Thomas emails are part of the stthomas.edu domain. Per our example with the U of M email, it will allow your participant to join your meeting and it will also permit anyone with a umn.edu email address to join.
• Broadly used email domains, such as gmail.com, are much less safe to allow, since this opens up your meeting to anyone with a gmail.com email address. Best practice is to only allow company or organization domains, not domains offering free, easily obtained email accounts which are not tightly controlled.

Restrict to St. Thomas Accounts Only

You may edit a meeting that has already been scheduled to apply Only authenticated users can join, as long as the meeting is not already started and in progress.

In the meeting scheduling screen under Meeting Options, check the box for Only authenticated users can join. If you are restricting your meeting to only St. Thomas email account holders, checking this box is all that’s needed. 

Permit Guest Speakers to Join Your Authenticated Meeting

If you need to permit one or more other email domains for the meeting (eg. to include a guest speaker), these instructions go more in depth for your needs. You may edit a meeting that has already been scheduled to apply Only authenticated users can join, as long as the meeting is not already started and in progress.

1. In the meeting scheduling screen under Meeting Options, check the box for Only authenticated users can join.
2. To permit email users from domains other than stthomas.edu, select Edit.
   
3. The View/edit domains screen will pop up. After stthomas.edu, add a comma and no space, then type the domain that will be permitted to join the meeting. Click Save.
   

Other Recommendations from Zoom

You may be interested in additional features Zoom offers to find the right fit for your needs. 

• Lock Meeting: Once you're confident your attendees are all present, you can lock the meeting to not let in any additional participants during the meeting. However, if a participant's internet connect drops and they leave the room (accidentally or intentionally) they would not be able to rejoin the meeting while it is locked. Learn more about where to find the Lock Meeting feature based on the type of device you're using for your meeting.
   
• Waiting Room: A waiting room that is enabled for a meeting or your Personal Meeting ID will bring your participants into a holding area. The host can then control who to accept into the meeting. This may be a significant amount of work for the host depending on the number of attendees invited to your Zoom session. Although it can be a good feature to use in a situation such as virtual office hours where you only want to admit one attendee at a time. To project the conversation of each attendee, you can choose when you want to admit a new participant and remove the previous participant from the meeting.
   
• Require Registration to Attend: Instead of posting the join link, you could require that individuals register for your meeting/event/webinar. This helps you verify in advance who is joining your meeting and have a record of it.  Only after you approve (automatically/manually) will the attendee be able to see and use the join link. 

Watch Zoom 101: Securing your Meetings & Virtual Classrooms (6:35 min) on YouTube.

Read Zoom's website to learn where in-meeting security options are located.