Settings to Keep Your Zoom Session Secure

At ATUS, we strive to keep users of our learning technologies safe. With the enterprise license of Zoom for WWU faculty, staff, and students, we are able to offer our users safety measures during Zoom meetings such as the ability to require participants be authenticated through WWU's login.

See also: Zoom's Best Practices for Securing Your Virtual Classroom

This document includes:

  • Zoom for Western Security
    • Sample Student Notification
    • Zoom Meeting Settings Overview
    • Zoom Account Settings Overview
  • Zoombombing
  • Detailed Instructions to Prepare for Secure Meetings
  • Recommendations for Public Zoom Meetings

Zoom for Western Security

Zoom for Western licenses are activated for all faculty and staff and can be accessed via https://wwu-edu.zoom.us and signing in with your username@wwu.edu email address and WWU password. Students can activate their own Zoom for Western licenses. See the Zoom for Western page for details.

To keep your Zoom session and your students in a more secure environment:

  1. Update your Zoom software. Ensure you have the latest security updates: https://zoom.us/download 
  2. Require authentication. This alone secures the session to only WWU users and provides a record of those individuals in the Reports area for all meetings via your account on the Zoom.us website. 
    • Guests can now be added to Zoom meetings.
      • Edit the Zoom meeting by accessing Zoom on the web (not from the Zoom app or via Canvas).
      • Under Security, make sure Required authentication to join is enabled.
      • Next to Authentication Exception, click Add.
      • Enter the guest participant's name and email address.
      • Click Add Participant to add more exceptions.
      • Click Save.
  3. Review: "Detailed Instructions to Prepare for Secure Meetings" below.
    • Registration: Be aware that setting up Registration for your events does not guarantee security. Access information can still be shared.
    • Webinars/Streaming: For public events, consider streaming a secured meeting on YouTube or Facebook Live OR setting up a webinar with Video Services.

Sample Student/Participant Notification

It is prohibited to share invite links and/or passcodes to Zoom sessions with anyone outside of the class. This includes posting the links on public and/or social media sites. Revealing invite links and passcodes are information security and privacy risks. Violators will be subject to an investigation by the University and possible disciplinary action. Please see POL- U3000.04, Computer Use-Responsible Computing.

Zoom Meeting Settings Overview

When editing/creating a meeting: 

  1. Do: Require “Only authenticated users can join” with an @wwu.edu account* 
  2. Do: Share your “Invite Link” on a secure site, such as Canvas.**
  3. Do: Require meeting passcode and/or Enable waiting room
  4. Do not: Enable Join Before Host.
  5. Do: Mute participants upon entry.

* From within the Canvas integration this is called, "Only signed-in users with specified domains can join meetings." Also, this setting can be added to existing meetings to impact future sessions.

**For public events, consider streaming a secured meeting on YouTube or Facebook Live OR setting up a webinar with Video Services. See Recommendations for Public Zoom Meetings at the end of this document.

NOTE: If you would like to add exception emails to the authentication list, you will need to edit the Zoom meeting by accessing Zoom on the web (not from the Zoom app or via Canvas).

See the section "Detailed Instructions to Prepare for Secure Meetings."

Zoom Account Settings

The default settings for WWU accounts are preset based on security precautions. See detailed instructions below.

  1. Do not turn on: Allow removed participants to rejoin
  2. Consider keeping off: Private chat
  3. Consider keeping off: Remote control
  4. Consider keeping off: Annotation

Zoombombing

Especially in the early days of the pandemic and remote teaching, reports of "Zoombombing" occurred where unintended participants accessed Zoom sessions and were disruptive. Especially at risk are when meeting links are shared widely or are placed on public-facing websites. It is also possible that enrolled students or invited participants could share Zoom meeting access information with a third party.

In case you suspect this happening in your meeting, here are the steps to follow:

  1. Click Security, then
    Suspend Participant Activities
  2. Click Security, select
    Hide Profile Pictures
  3. Click Security, select
    Remove Participant.
  4. Report to ATUS, including user details and screenshots if available.

Your best defense is to regularly update your Zoom software and require authentication for meetings. 

Options If Your Meeting is Zoombombed

Unless recording, take screenshots if you are able to do so quickly.

OPTION A:

If you have updated your Zoom software since 11/16/20,* the host and any co-hosts will have these options to stop all student interactivity:

  • Suspend Participant Activities: From the control bar, select:
  1. Security > Suspect Participant Activities, and;
  2. Security > Hide Profile Pictures.
  3. Select Remove (host only) for the offending participant(s):
    1. Via Participant panel (hover over the name)
    2. Via Video thumbnail (from 3-dot menu)
    3. Via the Security icon

OPTION B:

If the Suspend option is not available to you, the most immediate stop to the situation is to end the meeting for all. If possible, let participants know where to check (e.g. Canvas) for further instructions. 

  • End Meeting for All. Before starting the meeting again, check the meeting settings listed above.

OPTION C:

If you do not have the “Suspend” option available to you in the Security tab, and don’t want to end the meeting, here is how to regain control of the meeting in earlier versions of Zoom.

  • Change Settings During Meeting: If you can regain control of the meeting, it can proceed without ending.
    1. Select Remove (host only) for the offending participant(s):
      • Via Participant panel (hover over the name)
      • Via Video thumbnail (from 3-dot menu)
      • Via the Security icon
    2. Select Mute All from the Participants panel. Co-hosts and hosts can do this.
    3. From Participants 3-dot menu, 
      • Uncheck “Allow Participants to Unmute themselves”
      • Check Enable Waiting Room
      • Check Lock Meeting
    4. From Chat 3-dot menu, 
      • Check “Participant Can Chat With… No One”
    5. If annotation (writing on the screen) occurred, from the More 3-dot menu, select Disable Attendee Annotation and clear annotations (trashcan icon).

Notify the ATUS Help Desk

Detailed Instructions to Prepare for Secure Meetings

Plan Ahead

  • Plan to give a trusted participant the Co-host role during a meeting to help monitor security issues.
  • Plan to share or discuss community guidelines for participation during Zoom meetings.
  • Decide whether to disable any features that are not needed during Zoom meetings, such as screen sharing or chat.

Security in Zoom Meetings

The security option located on the Zoom toolbar allows the Zoom session host or co-host to respond to any issues that may appear during the course of their class allowing the issue to be resolved without the need to stop the class.

  1. Lock Meeting 
    This setting locks the Zoom session so no additional participants may enter the session
  2. Enable Waiting Room
    This allows you to set up a waiting room which can be used in place of a passcode to secure your Zoom session. 
  3. Hide Profile Pictures
  4. Allow Participants to:
    This allows you to control the options that session participants will have access to such as: 
    • Share Screen
    • Chat
    • Rename Themselves
    • Unmute Themselves
    • Start Video
  5. Suspend Participant Activities gives you these options:
    • Turns off video, audio, and screen sharing and will lock the meeting from anyone entering it.
    • Gives the option to report to Zoom. 

      Suspend Zoom Meeting
  6. Remove Participants
    You can use the remove participants option to remove unruly or abusive participants. This is also available from the Participants panel and from the 3-dot menu on each person’s profile picture/video.
     

Zoom Meeting Settings

These settings are accessible as you create or edit a meeting.
 

Edit Zoom Settings

 

  1. Do: Require “Only authenticated users can join” requiring an @wwu.edu account.
    Note that guests from outside WWU would not be able to join the meeting. If this is required on a particular day, remove this setting for that day and follow the suggestions below. 

    Zoom - Only Authenticated Users
  2. Do: Share your “Invite Link” on a secure site (such as Canvas).
    Canvas is a password-protected site that requires signing in through WWU’s user authentication system. 
    • Copy the Zoom “Invite Link” (and passcode if using) and paste it in your Canvas course for your students. It could be in an Announcement, placed in a Module, a page, etc.
    • Warn students that sharing Invite links is prohibited. See sample student notification language above that you can use in your class. 

      Zoom Invite Link
  3. Do: Require meeting passcode and/or Enable waiting room. 
    • Enable “Passcode.” Be sure to share that passcode with your participants securely. 

      Zoom Security Passcode
    • Enable Waiting Room. New arrivals to the meeting will appear in the waiting room area of the Participants list. Click on participant names to admit them one at a time or Admit All. Hosts can also return participants to the waiting room and disable/enable the waiting room during a meeting.
      • You can customize what participants see in the Waiting Room in your account settings. Keep the setting at All participants since most students do not have confirmed Zoom accounts and are essentially guests (even when logging in/authenticating with their WWU email and password). See also: Zoom Help Center - Waiting room 

        Zoom Waiting Rooms
  4. Do not: Enable Join Before Host. 

    Zoom - Do not enable join before host
  5. Do: Mute participants upon entry 

    Zoom - Do mute participants

Zoom Account Settings

The default settings for WWU accounts are preset based on security precautions. These settings are accessible by going to www.zoom.us, logging in with your Zoom for Western account (username@wwu.edu), and selecting the Settings navigational item on the left.

Zoom Settings

 

 

  1. Do not turn on: Allow removed participants to rejoin. 

    Zoom - do not enable rejoin
  2. Consider keeping off: Private chat. 

    Zoom - Do not enable private chat
  3. Consider keeping off: Remote control 

    Zoom - Do not enable remote control
  4. Consider turning off: Annotation.
    Annotation allows participants to use the drawing, stamping, and other notation tools during a screen share. The host can disable this option during each session or keep it from being an option in the first place by turning it off for all meetings in Settings. 

    Zoom - Consider turning off annotation

Recommendations for Public Zoom Meetings 

If you are hosting a Zoom session that requires sharing of a Zoom meeting link with a public audience, consider using these settings. These may also be useful as extra precautions for any meeting. 

For large public events, consider live streaming your Zoom meeting through YouTube or Facebook Live, or using one of the webinar licenses available through Video.Services@wwu.edu.

Zoom - Schedule new meeting

Zoom Meeting Settings

These settings are accessible as you set up a meeting and can be used in addition to the Basic Settings.

  • Enable Waiting Room. This requires the meeting host/instructor to allow entry into the meeting by holding them in a special part of the Zoom participants panel where they are notified they are in a waiting room for your session. 

    Zoom - Enable waiting room
    • When scheduling a new meeting or editing an existing one, enter a checkmark to enable Waiting Room. Even without this setting, a host can enable and disable the waiting room during a meeting.
       
    • The host/instructor will need to admit participants into the Zoom session one or more at a time. 
    • While this feature is particularly useful for “Office Hours” or to control entry to a meeting, it also requires the host’s attention to manage it. 

      Zoom - Registration required
  • Registration Form. If you are scheduling meetings for events and you list these on a public website, you could require a registration form. This can allow you to screen potential attendees, and then email participants the Meeting ID. See Registration for Meetings.

    Note that this does not prevent those individuals from sharing the meeting access information to third parties. Again, consider live streaming your Zoom meeting through YouTube or Facebook Live, or using one of the webinar licenses available through Video.Services@wwu.edu.
     

Resources