Overview
Zoom bombing happens more often than you would think. Take these immediate steps to protect your meetings.
If you are Teaching Live Via Zoom for StMU Students
Ensure the "Only authenticated users can join" setting is enabled to best protect your meeting. Students will need to be logged in to the Zoom application before they can join. Any meeting attendees who are not logged in to Zoom with StMU credentials will not be able to join.
If you are enabling this setting, inform your students that they will need to log in to the Zoom application to access the meeting.
If Your Meeting Includes Non-StMU Attendees
Ensure the "Only authenticated users can join" setting is disabled for these meetings. Instead, you can protect such meetings by:
- Enabling the waiting room feature.
- Setting a meeting password. Share this password with your invited attendees via a message separate from the meeting invitation.
These features are an effective protection against uninvited external individuals in your Zoom meetings.
What to do if You Encounter a Zoom Bombing
- The meeting host can use the Manage Participants window to remove disruptive participants from a meeting. Removed participants cannot re-enter the meeting.
- If you have too many unwanted participants to manage, consider ending your meeting.
- Avoid publishing recordings of classes with incidents. StMU ATS will follow up with faculty regarding the need to publish when a Zoom bombing report is made.
10 Best Practices To Prevent Hijacking
- Use secure methods for sharing links to meetings: invite attendees directly from conference service applications or include meeting links in enterprise calendar requests. These methods are more secure than to sharing links via email.
- Avoid using personal conference "rooms" or personal meeting IDs. Instead, create specific meetings requests for each meeting. By creating a unique meeting link, the link will be one-time-use only and malicious users cannot drop-in on future meetings.
- Make meetings private whenever possible. Conference attendees should be specifically invited (vs. allowing anyone with the valid meeting link to connect).
- Require a password from all users to join a meeting. The password should not be posted alongside the public meeting link.
- Enable "waiting room" functionality to require participants to be approved by the host before joining the conferences.
- Enable requirement for the host of the meeting to be present before starting the meeting for participants. This will protect against malicious users arriving before a presenter and assuming the host controls for the meeting.
- Presenter controls such as screen sharing, mute controls, and abilities to eject users for conferences should be restricted to the meeting organizer and only delegated to authorized contributors when needed. Disable the ability for participants to assume the presenter role.
- File transfer mechanisms should be disabled by default for all meetings to protect attendees from malware delivery. Enable this on an as-needed basis only.
- Wherever possible, restrict webcam auto-enablement and video sharing from participants.
- Users should NOT click on meeting request from unknown users or for meetings they are not expecting to be invited to. Malicious users will attempt to send mass emails with seemingly-valid web conference invites. URLs and links for meetings should be closely reviewed for accuracy before clicking when shared in email.