How To Keep Your Zoom Sessions Secure

Screen Sharing

It is important to control who can share screens and annotate (markup) your shared screen. By default, only the host can share screen. You can change this setting using the Security button and changing the setting to allow sharing from participants.

Annotation

Annotation is another feature that you’ll want to control. We recommend only allowing the user who is sharing [to be able] to annotate. This means that a bad actor cannot markup your shared screen while you are in control. Only you can annotate.

Sharing the Zoom Link in a Secure Location

Share your meeting links only in secure locations. Email is not secure. Canvas is. Though, of course, one of your students could share it with a bad actor, but at least you have to sign into Canvas before you can get to the link.

You may embed Zoom Class links in weekly modules by using the + Module Item in Canvas and selecting the External URL feature.   

Copy and paste your Zoom Meeting URL and give the link a name (e.g., Virtual Class Link, Zoom Link).

Passcodes

A meeting without a passcode is an invitation for Zoombombing. Bad actors can “robo-dial” thousands of meetings at a time looking for one that doesn’t have a passcode, and get in. Passcodes are now a default for any meetings created since August 14th. If you created meetings before this, simply:

1. Log in into Zoom csun.zoom.us
2. Find your meeting.
3. Check the use passcode box.
4. Redistribute the new link to the meeting.

The last step is the most important. A new link will be generated, so you’ll have to pass that out. Also note that our administrative default setting is to embed the passcode into the link. The good news is that users still just click on a single link to get in. The bad news is that sharing that single link with a bad actor (someone outside your class) gets them in, too.

Examples:

Normal Zoom Link Example: https://csun.zoom.us/8122067712

Secure Password Embedded Zoom Link: https://csun.zoom.us/787200447?pwd=M1hWaC8wWUNqU2RYckFWR2hSQ

Waiting Rooms

A waiting room is a holding area for students to go into before being allowed into class. Someone (usually the instructor) has to monitor the waiting room to let students in. We recommend urging your students to be on-time to class so that you do not have to watch the waiting room several minutes into class. You can do anything from verifying appropriate usernames before letting them in (a common habit of bad actors is to use usernames in poor taste) or even compare usernames to rosters.

Note: Either a waiting room or a passcode will be required in the future, making some of this conversation moot, but this is a worthwhile topic to discuss and understand nevertheless.

A step up from either passcodes or waiting rooms is to only allow authenticated users to join the meeting. This means that only students that have logged into Zoom.us are allowed in. This is regardless of using the other security measures. When choosing your options, you can even set it so that only authenticated users from csun.edu and/or my.csun.edu are allowed in. This means that a student must do single sign-on (SSO) prior to entering the class, with CSUN credentials. This is the highest security level, as it makes it easily identifiable who is doing what. They cannot hide behind fake usernames.

If set, users will see this message:

Disabling Chat

Follow these instructions to disable chat in a Zoom meeting:

1. In the Zoom meeting window, select Chat.
2. In the Chat panel, select the Chat menu icon.
3. In the pop-up window, select No One to prevent participants from chatting in the meeting.

Muting All

1. Select the Participants (Manage Participants) button in the Zoom toolbar. This is located at the bottom of your session window. 
2. At the bottom of the Participants window, select More.
3. Choose Mute Participants on Entry.
4. Deselect Allow Participants to Unmute Themselves.

Removing Unwanted Participants

In Zoom, open the Participants list.

1. Select the unwanted participant. 
2. Select More.
3. Select Remove. 

Note: Unless you have enabled the option to allow removed users to return, that specific account will not be able to rejoin the meeting. View Manage Participants in a Meeting (video).

For more information about Zoom Security, please visit these links below:

Best Practices for Securing Your Virtual Classroom
How to Keep Uninvited Guests Out of Your Zoom Session
A Letter from Zoom’s Management Team to Customers and Users 
CSUN's How to Keep Your Zoom Sessions Secure

Should you experience a disruption to your class, please contact the IT Help Center at (818) 677-1400 to report the situation. We will triage, address, and/or route the issue to the appropriate teams (e.g. security).

Most likely, your Zoom In-Meeting settings at the account level are set to allow all participants to share. Giving students the opportunity to share their work is a powerful feature of Zoom. It is best to leave this setting enabled at the account level and make fine-tuned adjustments within meetings when it is not appropriate for others to share.

Below, is a screenshot of the Zoom meeting settings at the account level. To check your account settings, go to https://csun.zoom.us/, sign in, choose Settings on the left, and then select In-Meeting (Basic) and scroll to Screen sharing.

In-Meeting Screen Share Settings

1. In the Zoom toolbar, select the caret next to Share Screen.
2. In the Advanced Sharing Options window, make these adjustments:

• • How many participants can share at the same time?
    • Select One participant can share at a time.
  • Who can share?
    • Select Only Host. 

3. When you get to a point in your meeting where you want students to share, return to Advanced Sharing Options and adjust the settings.

If you have Annotation enabled in your In-Meeting (Basic) settings at the account level, that means attendees will be able to annotate on your shared screen at any time. 

To check your account level settings:

1. Log in at https://csun.zoom.us/
2. On the left, choose Settings.
3. Select In-Meeting Basic.
4. Scroll to Annotation. If Annotation is enabled, that means attendees can annotate on your shared screen.

While this feature can be great for collaborative activities, you can easily deactivate the feature but only once you have begun to share your screen. Follow these steps:

1. Share your screen.
2. Select More in the screen share controls.
3. Select Disable participants annotation.

If you wish to encourage students to annotate your shared screen, simply re-enable the feature by following the same steps.

The Chat feature is a useful feature in Zoom, which allows participants to chat with the group or one another, directly. However, to safeguard your meeting, this feature can be turned off if needed. 

Follow these instructions to disable chat in a Zoom meeting.

1. In the Zoom meeting window, select Chat.
2. In the Chat panel, select the Chat menu icon. 
3. In the pop-up window, select No One to prevent participants from chatting in the meeting.

To enhance the security of Zoom sessions, and in anticipation of a global change Zoom is set to make on September 27, we will soon be requiring passwords on all newly-created Zoom meetings. This change will happen prior to the beginning of the Fall semester. Additional information will be available in the future, as we approach these dates. For more information on Passwords, Waiting Rooms, and these new requirements, visit Zoom's FAQ Meetings Waiting Room and Passcode Requirements page.

The Waiting Room feature allows the host to control when a participant joins the meeting. As the host, you can admit attendees one by one, or hold all attendees in the waiting room and admit them all at once. This prevents a participant from disrupting the meeting before the host has joined. This can be extremely helpful for faculty office hours sessions (to preserve student privacy).  It can be effective during a live class session but will require more management by the host during the session.

Enable Waiting Room

To enable Waiting Room for all users in the account:

1. Sign in to the Zoom as an administrator with the privilege to edit account settings.
2. In the navigation menu, click Account Management then Account Settings.
3. Navigate to the Waiting Room option on the Meeting tab and verify that the setting is enabled.
   Note:  If the setting is disabled, select the Status toggle to enable it. If a verification dialog displays, choose Turn On to verify the change.
4. Select who you want to admit to the waiting room.
   • All participants: All participants joining your meeting will be admitted to the waiting room. 
   • Guest participants only: Only participants who are not on your Zoom account or are not logged in will be admitted to the waiting room. If not logged in, they will have an option to log in. 
     Note: If Guest participants only is enabled, you can also enable the option to allow internal participants (users on the account), to admit guests from the waiting room if the host is not in the meeting. 
5. (Optional) If you want to make this setting mandatory for all users in your account, select the lock icon, and then select Lock to confirm the setting.

To end a meeting for all participants, select End Meeting (only available to the host) and then End Meeting for All (otherwise the meeting will continue for others, including the trolls). If you want to have the meeting continue, you should give another participant host control before leaving the meeting.

Source: 6 Tips to Deter Zoom-bombers in Times of Disruption

Far End Camera Control allows another user to take control of your camera and use Pan-Tilt-Zoom (PTZ) functionality of the camera. This feature opens the session up to security vulnerabilities. For this reason, this feature should be disabled. To verify if it is disabled:

1. Sign into the Zoom web portal as an administrator with the privilege to edit Account Settings, and select Account Settings.
2. Navigate to the Far end camera control option on the Meeting tab and verify that the setting is disabled. 

If you add a Zoom meeting to your calendar or create a Zoom meeting in your calendar using the Zoom Outlook Plug-in, note that the calendar entry may include the Zoom meeting password. If you have set up your calendar so that it is open for colleagues to view the details of your meetings, this can expose the password to anyone who views your calendar. We recommend making the calendar entry private or editing the entry to remove the Zoom meeting password.

This meeting setting can help reduce audio issues but will also mute microphones for all attendees as they join the room. The ability to allow participants to unmute themselves can be disabled by the host or co-host within the meeting. In addition to the steps below, view Managing Participants in a Meeting (video) for more information. 

1. Select the Manage Participants button in the Zoom toolbar. 
2. At the bottom of the Participants window, select More. 

• Choose Mute Participants on Entry
• Deselect Allow Participants to Unmute Themselves

How To Encourage Students To Share In Voice

Stop and various points and ask students if they have questions. Instruct them to use the Raise Hand feature to communicate to you that they’d like to speak. You will see a raised hand next to a student’s name in the Participants window. Verbally call on the student and manually unmute the student’s mic.

If a meeting is recorded, the recording is located on the host’s local machine. Please be aware of the content and have all participants permissions in place before posting the meeting to a public site. We recommend securing the recording using myCSUNBox. 

To protect recorded sessions, faculty who choose to record a session should keep those recordings in Canvas or myCSUNbox where they are secure. 

In Zoom, open the Participants list. Select the unwanted participant, select "More," select "Remove."  Unless you have enabled the option to allow removed users to return, that specific account will not be able to rejoin the meeting. View Manage Participants in a Meeting (video). 

To enhance the security of Zoom sessions, and in anticipation of a global change Zoom is set to make on September 27, we will soon be requiring passwords on all newly-created Zoom meetings. This change will happen prior to the beginning of the Fall semester. Additional information will be available in the future, as we approach these dates. For more information on these new requirements, visit Zoom's FAQ Meetings Waiting Room and Passcode Requirements page.

You can add a password that participants must enter or otherwise have access to in order to join your meeting. You could share the main meeting details more broadly and then distribute the password to only your audience. Also, we recommend that you create unique meetings for each session, rather than reusing the meeting ID for all meetings. If you do, and the meeting is compromised, all meetings using the same meeting ID and password will also be compromised. 

An important feature, outlined below, shows how to “embed password in meeting link for one-click join.” This allows users to click once to get into a meeting, not have to enter the password manually, yet still thwart most unwanted intruders.

Enabling password settings for your account and embedding passwords

1. Sign in to the Zoom: https://csun.zoom.us/ and navigate to Settings. 
2. Navigate to the Meeting tab and verify that the password settings that you would like to use for your account are enabled. Note: If the setting is disabled, select the Status toggle to enable it. If a verification dialog displays, choose Turn On to verify the change.   
3. In the Embed password in meeting link for one-click join, Turn On the feature by clicking on the toggle button.

Note: If the option is grayed out, it has been locked at either the Group or Account level, and you will need to contact your Zoom administrator.

By default, meetings are assigned a random password. You can update the password to one you prefer in your settings. 

For more information on updating passwords visit Meetings & Webinar Passwords. 

Be Mindful of Where You Publicize Your Meeting

You increase the risk of unwanted guests if you post your meeting details online. Be careful about posting the "join" details of an online event to websites, social media, or other publicly accessible sources.

• Share the meeting link to only the intended participants. You are strongly advised to share your Zoom session link in your password protected Canvas course, so it can only be accessed by students enrolled in your class. 
• Ask participants to not share the meeting details beyond the intended audience (class, team, colleagues, etc.).
• Avoid posting the meeting link, PIN, ID, and/or password on social media or public sources.
• Use a secure service, e.g. a learning management system such as Canvas, to share or post the links or meeting details.  

If someone has accidentally (or purposely) turned on their webcam and you do not want the video to display, you can use the "Stop Video."  After doing this, the participant will no longer be able to share their webcam until you choose "Ask to Start Video." For more information on what a host can do, visit Controls for Hosts and Co-Hosts. 

To prevent others from screen sharing, the host can share their screen or disable the option for attendees to share their screens. Of course, for student presentations or collaboration, the screen sharing option is vital. As the host, you may wish to configure "Only Host" in the beginning and then allow others to screen share when appropriate. For more information, view Host and Co-Host Controls in a Meeting (video). 

CSUN recommends faculty, staff and students use their browser to connect to meetings rather than the dedicated Zoom app. This setting reduces the number of possible vulnerabilities a hacker can use t to compromise your machine. Chrome, Firefox, Edge and Opera are easy to update and hardened against attacks. If you do want to continue to use the Zoom app, please make sure you are checking for updates regularly.

1. Security Icon: The Security Icon at the bottom of the screen contains all the Zoom security features previously found in the meeting menus.
2. Robust Host Controls: Admins will be able to report an unauthorized user through the security icon. They will also have the option to disable the ability for users to rename themselves. For education customers screen sharing is now limited to the host. 
3. Waiting Room Default: For education customers the waiting room feature is now set by default. The waiting room option is also available as the meeting is in progress.
4. Meeting password complexity and default-on: Meeting passwords are now on by default. For those who have access to administered accounts, have the ability to define password complexity such as length, characters, and/or specific requirements. 
5. Cloud recording passwords: Passwords are now set as a default for those who want to access the recordings aside from the meeting host. 
6. Secure account contact sharing: Zoom will support larger corporations allowing users to meet with with contacts across multiple accounts.
7. Dashboard enhancement: Admin users can view their connection to the Zoom data centers on their Zoom dashboards. 
8. Additional: New non-PMI meetings have 11 digits IDs. Invite and meeting Ids have been removed from ongoing meetings and have been moved to the participants menu, making this harder to accidentally share the their meeting ID.

For more information on Zoom, please visit the Keep Teaching – Resources & Tools page.

A new form of trolling in which a participant uses Zoom’s screensharing feature to interrupt and disrupt meetings and classes. The disruptions are being termed Zoombombings and the perpetrators Zoom Trolls. These incidents can create significant issues with the teaching and learning of materials and steps should be taken to prevent this. 

Below are some practices that may reduce the likelihood of this occurring during one of your sessions and the recovery actions you can take if it does. 

When in doubt, know how to end a session for all attendees immediately, if necessary. Instructions are in the End a Meeting Immediately section.

To balance security with functionality, review the options below and make the best decisions for your needs. We recommend that you consider a "dry run" with a colleague before your official class or meeting to verify that the settings match your desired outcomes.