Main menu (IT)

How To Keep Your Zoom Sessions Secure

Zoom is a synchronous (live) web conferencing tool that is fantastic for fostering meaningful instructor-student and student-student interactions. It is being used by many faculty to assist with a smooth transition to temporary remote teaching and learning. It is important to consider the security implications of the Zoom meetings that you set up. It is important to properly secure your meeting if there is any discussion of Level 1 or Level 2 data. In addition, if it is a video meeting it is important to secure the recording if there are minors involved or non-CSUN participants.

Latest Zoom Update 

To enhance the security of Zoom sessions, and in anticipation of a global change Zoom is set to make on September 27, we will soon be requiring passwords on all newly-created Zoom meetings. This change will happen prior to the beginning of the Fall semester. Additional information will be available in the future, as we approach these dates.
 
Meetings scheduled without a passcode will show a red icon in the Zoom web dashboard, along with a red exclamation point next to the meeting name. For instructions on adding a passcode to your scheduled meeting, visit the accordion section titled "How do I keep my Zoom meeting secure?" on the CSUN Zoom main page.
 
For more information on these new requirements, visit Zoom's FAQ Meetings Waiting Room and Passcode Requirements page
 

Adjust Screen Share Options in the Meeting

Most likely, your Zoom In-Meeting settings at the account level are set to allow all participants to share. Giving students the opportunity to share their work is a powerful feature of Zoom. It is best to leave this setting enabled at the account level and make fine-tuned adjustments within meetings when it is not appropriate for others to share.

Below, is a screenshot of the Zoom meeting settings at the account level. To check your account settings, go to https://csun.zoom.us/, sign in, choose Settings on the left, and then select In-Meeting (Basic) and scroll to Screen sharing.

Screen sharing options in Zoom.

In-Meeting Screen Share Settings

  1. In the Zoom toolbar, select the caret next to Share Screen.
  2. In the Advanced Sharing Options window, make these adjustments:
    • How many participants can share at the same time?
      • Select One participant can share at a time.
    • Who can share?
      • Select Only Host

        3. When you get to a point in your meeting where you want students to share, return to Advanced Sharing Options and adjust the settings.

Disable Attendee Annotation

If you have Annotation enabled in your In-Meeting (Basic) settings at the account level, that means attendees will be able to annotate on your shared screen at any time. 

To check your account level settings:

  1. Log in at https://csun.zoom.us/
  2. On the left, choose Settings.
  3. Select In-Meeting Basic.
  4. Scroll to Annotation. If Annotation is enabled, that means attendees can annotate on your shared screen.

Annotation settings.

While this feature can be great for collaborative activities, you can easily deactivate the feature but only once you have begun to share your screen. Follow these steps:

  1. Share your screen.
  2. Select More in the screen share controls.
  3. Select Disable participants annotation.

If you wish to encourage students to annotate your shared screen, simply re-enable the feature by following the same steps.

Disable Chat

The Chat feature is a useful feature in Zoom, which allows participants to chat with the group or one another, directly. However, to safeguard your meeting, this feature can be turned off if needed. 

Follow these instructions to disable chat in a Zoom meeting.

  1. In the Zoom meeting window, select Chat.
  2. In the Chat panel, select Chat menu. l.
  3. In the pop-up window, select No One to prevent participants from chatting in the meeting.

Disable chat in Zoom.

Enable a Waiting Room

To enhance the security of Zoom sessions, and in anticipation of a global change Zoom is set to make on September 27, we will soon be requiring passwords on all newly-created Zoom meetings. This change will happen prior to the beginning of the Fall semester. Additional information will be available in the future, as we approach these dates. For more information on Passwords, Waiting Rooms, and these new requirements, visit Zoom's FAQ Meetings Waiting Room and Passcode Requirements page.

The Waiting Room feature allows the host to control when a participant joins the meeting. As the host, you can admit attendees one by one, or hold all attendees in the waiting room and admit them all at once. This prevents a participant from disrupting the meeting before the host has joined. This can be extremely helpful for faculty office hours sessions (to preserve student privacy).  It can be effective during a live class session but will require more management by the host during the session.

Enable Waiting Room

To enable Waiting Room for all users in the account:

  1. Sign in to the Zoom as an administrator with the privilege to edit account settings.
  2. In the navigation menu, click Account Management then Account Settings.
  3. Navigate to the Waiting Room option on the Meeting tab and verify that the setting is enabled.
    Note:  If the setting is disabled, select the Status toggle to enable it. If a verification dialog displays, choose Turn On to verify the change.

    Waiting room settings.
  4. Select who you want to admit to the waiting room.
    • All participants: All participants joining your meeting will be admitted to the waiting room. 
    • Guest participants only: Only participants who are not on your Zoom account or are not logged in will be admitted to the waiting room. If not logged in, they will have an option to log in. 
      Note: If Guest participants only is enabled, you can also enable the option to allow internal participants (users on the account), to admit guests from the waiting room if the host is not in the meeting. 
  5. (Optional) If you want to make this setting mandatory for all users in your account, select the lock icon, and then select Lock to confirm the setting.

End a Meeting Immediately

To end a meeting for all participants, select End Meeting (only available to the host) and then End Meeting for All (otherwise the meeting will continue for others, including the trolls). If you want to have the meeting continue, you should give another participant host control before leaving the meeting.

Source: 6 Tips to Deter Zoom-bombers in Times of Disruption

Far End Camera Control Should Be Disabled

Far End Camera Control allows another user to take control of your camera and use Pan-Tilt-Zoom (PTZ) functionality of the camera. This feature opens the session up to security vulnerabilities. For this reason, this feature should be disabled. To verify if it is disabled:

  1. Sign into the Zoom web portal as an administrator with the privilege to edit Account Settings, and select Account Settings.
  2. Navigate to the Far end camera control option on the Meeting tab and verify that the setting is disabled. 

Meeting Security When Scheduling Zoom Meetings Using Your Outlook Calendar

If you add a Zoom meeting to your calendar or create a Zoom meeting in your calendar using the Zoom Outlook Plug-in, note that the calendar entry may include the Zoom meeting password. If you have set up your calendar so that it is open for colleagues to view the details of your meetings, this can expose the password to anyone who views your calendar. We recommend making the calendar entry private or editing the entry to remove the Zoom meeting password.

Mute All Participants

This meeting setting can help reduce audio issues but will also mute microphones for all attendees as they join the room. The ability to allow participants to unmute themselves can be disabled by the host or co-host within the meeting. In addition to the steps below, view Managing Participants in a Meeting (video) for more information. 

  1. Select the Manage Participants button in the Zoom toolbar. 

        Manage participants button.

  1. At the bottom of the Participants window, select More
  • Choose Mute Participants on Entry
  • Deselect Allow Participants to Unmute Themselves

How to encourage students to share in voice:

    • Stop and various points and ask students if they have questions. Instruct them to use the Raise Hand feature to communicate to you that they’d like to speak. You will see a raised hand next to a student’s name in the Participants window. Verbally call on the student and manually unmute the student’s mic.

    Post Meeting Security - Recordings

    If a meeting is recorded, the recording is located on the host’s local machine. Please be aware of the content and have all participants permissions in place before posting the meeting to a public site. We recommend securing the recording using myCSUNBox

    Recorded Sessions Only Stored in Canvas or myCSUNbox

    To protect recorded sessions, faculty who choose to record a session should keep those recordings in Canvas or myCSUNbox where they are secure. 

    Remove Unwanted Participants

    In Zoom, open the Participants list. Select the unwanted participant, select "More," select "Remove."  Unless you have enabled the option to allow removed users to return, that specific account will not be able to rejoin the meeting. View Manage Participants in a Meeting (video)

    Set Meeting Passwords & Meeting IDs

    To enhance the security of Zoom sessions, and in anticipation of a global change Zoom is set to make on September 27, we will soon be requiring passwords on all newly-created Zoom meetings. This change will happen prior to the beginning of the Fall semester. Additional information will be available in the future, as we approach these dates. For more information on these new requirements, visit Zoom's FAQ Meetings Waiting Room and Passcode Requirements page.

    You can add a password that participants must enter or otherwise have access to in order to join your meeting. You could share the main meeting details more broadly and then distribute the password to only your audience. Also, we recommend that you create unique meetings for each session, rather than reusing the meeting ID for all meetings. If you do, and the meeting is compromised, all meetings using the same meeting ID and password will also be compromised. 

    An important feature, outlined below, shows how to “embed password in meeting link for one-click join.” This allows users to click once to get into a meeting, not have to enter the password manually, yet still thwart most unwanted intruders.

    Enabling password settings for your account and embedding passwords

    1. Sign in to the Zoom: https://csun.zoom.us/ and navigate to Settings
    2. Navigate to the Meeting tab and verify that the password settings that you would like to use for your account are enabled. Note: If the setting is disabled, select the Status toggle to enable it. If a verification dialog displays, choose Turn On to verify the change.   
    3. In the Embed password in meeting link for one-click join, Turn On the feature by clicking on the toggle button.

                

    Note: If the option is grayed out, it has been locked at either the Group or Account level, and you will need to contact your Zoom administrator.

    By default, meetings are assigned a random password. You can update the password to one you prefer in your settings. 

    For more information on updating passwords visit Meetings & Webinar Passwords

    Share Links in Your Password-Protected Course in Canvas

    Be Mindful of Where You Publicize Your Meeting

    You increase the risk of unwanted guests if you post your meeting details online. Be careful about posting the "join" details of an online event to websites, social media, or other publicly accessible sources.

    • Share the meeting link to only the intended participants. You are strongly advised to share your Zoom session link in your password protected Canvas course, so it can only be accessed by students enrolled in your class. 
    • Ask participants to not share the meeting details beyond the intended audience (class, team, colleagues, etc.).
    • Avoid posting the meeting link, PIN, ID, and/or password on social media or public sources.
    • Use a secure service, e.g. a learning management system such as Canvas, to share or post the links or meeting details.  

    Stop Participant's Video

    If someone has accidentally (or purposely) turned on their webcam and you do not want the video to display, you can use the "Stop Video."  After doing this, the participant will no longer be able to share their webcam until you choose "Ask to Start Video." For more information on what a host can do, visit Controls for Hosts and Co-Hosts

    Stop Unwanted Screen Sharing

    To prevent others from screen sharing, the host can share their screen or disable the option for attendees to share their screens. Of course, for student presentations or collaboration, the screen sharing option is vital. As the host, you may wish to configure "Only Host" in the beginning and then allow others to screen share when appropriate. For more information, view Host and Co-Host Controls in a Meeting (video)

    Use a Browser to Access Zoom

    CSUN recommends faculty, staff and students use their browser to connect to meetings rather than the dedicated Zoom app. This setting reduces the number of possible vulnerabilities a hacker can use t to compromise your machine. Chrome, Firefox, Edge and Opera are easy to update and hardened against attacks. If you do want to continue to use the Zoom app, please make sure you are checking for updates regularly

    User Controls

    1. Security Icon: The Security Icon at the bottom of the screen contains all the Zoom security features previously found in the meeting menus.
    2. Robust Host Controls: Admins will be able to report an unauthorized user through the security icon. They will also have the option to disable the ability for users to rename themselves. For education customers screen sharing is now limited to the host. 
    3. Waiting Room Default: For education customers the waiting room feature is now set by default. The waiting room option is also available as the meeting is in progress.
    4. Meeting password complexity and default-on: Meeting passwords are now on by default. For those who have access to administered accounts, have the ability to define password complexity such as length, characters, and/or specific requirements. 
    5. Cloud recording passwords: Passwords are now set as a default for those who want to access the recordings aside from the meeting host. 
    6. Secure account contact sharing: Zoom will support larger corporations allowing users to meet with with contacts across multiple accounts.
    7. Dashboard enhancement: Admin users can view their connection to the Zoom data centers on their Zoom dashboards. 
    8. Additional: New non-PMI meetings have 11 digits IDs. Invite and meeting Ids have been removed from ongoing meetings and have been moved to the participants menu, making this harder to accidentally share the their meeting ID.

    User Guides & Other Resources

    For more information on Zoom, please visit the Keep Teaching – Resources & Tools page.

    What is Zoombombing?

    A new form of trolling in which a participant uses Zoom’s screensharing feature to interrupt and disrupt meetings and classes. The disruptions are being termed Zoombombings and the perpetrators Zoom Trolls. These incidents can create significant issues with the teaching and learning of materials and steps should be taken to prevent this. 

    Below are some practices that may reduce the likelihood of this occurring during one of your sessions and the recovery actions you can take if it does. 

    When in doubt, know how to end a session for all attendees immediately, if necessary. Instructions are in the End a Meeting Immediately section.

    To balance security with functionality, review the options below and make the best decisions for your needs. We recommend that you consider a "dry run" with a colleague before your official class or meeting to verify that the settings match your desired outcomes.

    Zoom Meeting Controls

    Meeting Controls
    Zoom Meeting Authentication Options - Ways to prevent Zoombombing (least to most secure)PreventsVulnerable ToUser Experience
    No Password, No Authentication
    • Nothing
    • Everything 
    • Link passed around or posted.
    • Anyone can access anonymously.
    User is able to click once for access.
    Embedded Passwords 
    • Link and password shared 
    • Anyone can access anonymously
    User is able to click once for access
    Separate Password 
    • War Dialing 
    • Prevents link passing if password is communicated separately
    • Link and password shared 
    • Anyone can access anonymously
    User clicks on URL and is prompted for the password 
    Authentication using CSUN User ID & Password, and allowing Google/Facebook User ID’s & Passwords
    • Most Zoombombing 
    • Prevents eavesdropping
    • Someone creating a throwaway Facebook or Google account.

    If authenticated the user can click on the link. Otherwise it will ask for authentication. 

    Authentication using CSUN User ID & Password only
    • Most Zoom issues 
    • Compromised accounts accessing the meeting. (This situation is highly unlikely) 
    If not authenticated you will be asked to authenticate 
    Authentication using CSUN User ID & Password with DUO Multi-Factor Authentication (.pdf)

     

    • Every Zoom issue 

     

    • Least Vulnerable 
    When clicked Duo will prompt user to authenticate