ZOOM Meetings: Intrusion Prevention Domain & Account Settings

By: Rabbi Avi Bloom
KC Topics: 
Coronavirus, Technology


ZOOM has quickly become one of the most popular tools that schools use to convene classes and meetings during the current period of distance learning.  Much has been written about Zoombombing, a phonenomen where unwanted attendees enter and disturb publicly accessible meetings. The following list of tools, features and settings is designed to help schools and other organizations mitigate, and hopefully eliminate, the growing problem of “ZoomBombing.”  Many are also referenced in a blog post and video released by ZOOM.  

Note: Some features are only available if the meeting host has a pro, education, or business ZOOM license. 

Pre-Meeting Settings Configuration

The following settings can be configured either in the zoom.us web dashboard or in the settings for an individual meeting.  In some cases it is necessary to turn the setting on in the dashboard and also enable it for specific meetings. Dashboard settings can be managed at the user, group, or domain level and can be locked to not allow individual users to change their settings. 

Keep Links Private - Zoom links and meeting id numbers should never be published on social media, public-facing websites, school blogs, or any other medium accessible to people beyond the intended participants.  Schools should certainly not publish a full list of all meeting links, even internally. Students should only have access (through email or a Learning Management System) to the meeting links for the meetings they are attending.

Domain Authentication - The best way to secure your Zoom meetings is by requiring authentication for users to join the meeting.  By using authentication profiles you can restrict meeting attendance to members of specific domains.  The attendees will only be able to join the meeting if they are signed in to the Zoom application with an account on an approved domain. If all of your faculty and students are using school-based email addresses, this function is best to consider to ensure secure meetings.

Meeting Passwords - You can require all attendees to enter a password to join the meeting.  Never publish meeting passwords alongside the meeting links. For recurring meetings, change the password regularly.  The challenge of passwords is that they can be shared as easily as meeting links. 

Waiting Room - Having people join a waiting room before entering the meeting can be a helpful way to ensure that only desired participants are allowed in.  It also gives the host a chance to set up all in-meeting settings before participants join. Waiting rooms can be enforced at the user, group, or domain level.  If desired, you can disable the waiting room once the meeting begins so it need not be monitored throughout.  

Join Before Host - Join before host allows participants to join before the host officially starts the meeting.  This setting can be disabled at the user, group or domain level and this should be turned off and locked for all users.  

Allow Removed Participants to Rejoin - This setting should be turned off and locked for all users.  Otherwise, anyone who is removed from a meeting can simply rejoin. 

Screen Share - You can set the default for screen share during meetings.  This should be set to allow only the host of the meeting to screen share.  Once set to host only, you can lock the setting so that individual hosts will not be able to enable participant sharing in meetings or leave the setting unlocked to allow meeting hosts to allow participant sharing within a specific meeting if desired.  

Co-hosting - Enabling this will allow hosts to assign co-hosts during the meeting to help manage participants, chat, screen share and other features. 

Annotation - This feature allows participants to add information to shared screens.  This can be disabled in the dashboard at the user, group, or account level or within a meeting itself.  

File Transfer - It’s advisable to disable the ability for users to transfer files in the chat box during the meeting.  This can be enabled if a particular host has a need for it.

In-Meeting Controls

It is critical that all hosts are comfortable managing participants during a meeting.  If an outsider does gain access to the meeting, there are important steps the host can take to continue the meeting safely.  

  1. In the “Manage Participants” box during a meeting hosts can:
    a. Remove Participants
    b. Mute participants
    c. Turn off participant video for any participant
    d. Allow or not allow participants to unmute themselves
    e. Allow or not allow participants to rename themselves
    f. Lock the meeting - so no new attendees can join
  2. The settings in this section may or may not be available within meetings depending on how the pre-meeting account settings are configured.
    a. Manage participant screen share - in the <screen share - advanced options> participant screen share can be enabled/disabled.
    b. Disable attendee annotation - within the meeting, this can only be disabled while the screen is shared, and must be disabled for each person who will be screen sharing.
    c. Disable or limit in-meeting chat.

In a short timeframe, we have transitioned our schools to an online environment that is fostering student learning and maintaining the essential connections between our faculty and students. By taking the necessary steps, we can ensure that our digital schooling maintains the safety standards of our classrooms.