Zoom Bombings are a a risk with any publicly advertised Zoom meeting. Here are a few recommended options to consider when planning your next public event.
Please Note: Recommendations are not in any particular order.
For Large, publicly advertised Zoom Meetings, Our Recommendation is to use a Zoom Webinars instead of the standard Zoom Meeting format.
Zoom Webinars are the primary tool used for allowing participants to observe without being able to intervene or interrupt. Webinars can be used to bring people up to the panel and allow them to speak, if necessary. Currently all U of I faculty have access to a 500-participant Webinar license, and other accounts can be assigned as necessary. Using a webinar in this way for these meetings would require some prep work to set up all of the panelists that would be allowed to talk openly. Q&A and chat could be used for communication between the host, panelists, and the participants.
If the standard Zoom Meeting is used, we recommend the following options:
These are listed in no particular order.
Recommendation #1: Disable "Allow participants to rename themselves" - Host
Rationale: The Zoom Bomber used a system to automatically cycle their display name to another display name within the meeting. This creates confusion in the heat of the moment and increases the risk of accidentally removing a valid participant from the meeting. Disabling the ability to have participants rename themselves will lock the potential bombers down and allow them to be more easily removed. (Zoom Support Article)
Recommendation #2: Change the behavior of the waiting room to allow UI logged in participants to bypass the waiting room. – Host.
Rationale: Sometimes external participants will need to be admitted into your Zoom meeting. Requiring UI authentication makes that difficult. This solution is a middle ground. Your regular UI faculty and staff will join the meeting with no issues. Anyone who isn't signed in to a UI account will go into the waiting room. This will allow a larger degree of scrutiny when allowing participants into the meeting instead of bulk "admit all" presses to get people in. This may not be ideal for all meetings but is a good option for many. (Zoom Support Article)
Recommendation #3: Remove the Zoom meeting information from the public webpages/social media.
Rationale: If a meeting ID is visible with a basic search, it will be a target, especially in higher-ed . It should be discussed if the public visibility is worth the risk.
Recommendation #4: Response to Zoom Bombing event - Suspend participant activities - Host
Rationale: During a meeting the host can go to Host tools and use the Suspend participant activities option. This is a "break glass in case of emergency" option as it will disable the ability for all participants to perform any activities within the meeting. This gives the host time to assess the situation and remove disruptions accordingly. (Zoom Support Article)
Recommendation #5: Disable Web Browser access to Zoom meetings – Institution Wide
Rationale: Often times Zoom bombers will use a web browser to access the meeting. Disabling this access would potentially limit these sorts of attacks. However, disabling web access may inadvertently restrict the ability for students to access their classes since this change would need to be done at the top account level. It is for that reason it is not an option employed by OIT due to large impact to the U of I.
Recommendation #6: Only authenticated users can join meetings from web client enabled - Host
Rationale: This should limit un-authenticated users from joining via the web client. This requires the user to have a Zoom account to join the meeting via the web client. Since most users will be joining via the Zoom application it will have minimal effect on legitimate users. Unlike Recommendation #5 this can be enabled at the user level and is recommended to be enabled. (Zoom Support Article)
Recommendation #7: Enable request permission to unmute audio - Host
Rationale: This allows better control of the audio from participants. For recurring meetings this request will be persistent. After the first meeting of allowing regular attendees to unmute their audio they will then be able to unmute afterwards without asking permission. New attendees will need permission from the host. (Zoom Support Article)
Recommendation #8: Require users be signed into Zoom Client – Host
Rationale: This change will limit people that are not signed in from joining the meeting. With our current setup it will require "Only authenticated meeting participants and webinar attendees can join meetings and webinars" to be enabled and changing the default option to "Sign in to Zoom Client." This will open up the authentication option beyond UI zoom accounts but will still require an account. Unlike most security recommendations, this can be combined with a Waiting Room to provide a level of added security without too much hassle. (Zoom Support Article)
Additional information: Zoom's Best Practices
Zoom also has an article outlining best practices for Zoom meetings. The article has additional resources for settings that can be enabled depending on your particular concerns. (Zoom Support Article).
We hope this gives you the information needed to provide a less disruptive experience for online meetings.