Zoom Security Features: Reduce the Odds of Zoombombing
This article applies to: Zoom
Increase the security of your Zoom sessions to reduce the chance of unwanted attendees ("zoombombing"). We recommend using as many of these options as you reasonably can without impacting your course or meeting.
If you are discussing any sensitive or confidential information in your meetings, these measures become that much more important. If someone does sneak in, they could listen, capture screenshots, or disrupt the meeting with unwanted video or audio. If someone you don't know does join your meeting, instructions are available below to Remove a Participant.
Update to the Latest Version
Keep your Zoom client application updated to the latest version.
- For users with Cornell-managed devices the latest version is available through Self Service for Macs and Software Center for Windows devices. Completing installation may require restarting your computer.
- Users with personally owned or non-managed computers should update Zoom by opening their profile settings (click your profile picture in the top-right corner), then clicking Check for Updates.
For full details, visit Check Your Zoom Application Version and Upgrade to the Most Recent Version.
Security Icon Options for Hosts
Zoom hosts will see the meeting Security icon. Clicking the icon shows a number of useful options in a single menu.
Hosts can toggle the following options on or off during meetings. Active features are identified with a checkmark. Clicking an active feature again toggles it off.
When a meeting is locked, no new participants can join—even if they are authorized users or have a passcode. See more below.
Enable Waiting Room
When this option is turned on, participants are placed in a virtual waiting room until admitted by the host. See more below.
- Allow participants to:
Turning this option off prevents participants other than the host from sharing their screens.
Turning this option off prevents participants other than the host from using the Chat feature.
Turning this option off prevents participants from renaming themselves in the meeting.
Annotate on Shared Content
Turning this option off prevents participants other than the host from using annotation tools such as Draw, Stamp, Spotlight, Text, and Erase when screen sharing is used.
Dismiss a participant from the meeting. The removed individual cannot rejoin the meeting unless you have enabled Allow Participants and Panelists to rejoin in your account settings.
Report abuse directly to Zoom. Please continue to report abuse during Cornell Zoom meetings to firstname.lastname@example.org as well.
In addition to using the Security icon menu to control meetings, consider setting the following options when scheduling meetings:
Enable the "Waiting Room"
The Waiting Room feature lets hosts control when each participant joins the meeting. As the meeting host, you can admit attendees one by one, or hold all attendees in the virtual waiting room and admit them en masse. This requires more work by the host, but only allows participants to join if you specifically admit them.
Require User Authentication
Require attendees to authenticate by being signed in to Zoom using a Cornell NetID and password. Adding this measure can also save you from having to admit them from the Waiting Room, and also automatically provides their Cornell names in the meeting Participants list. See Require Authentication to Join Zoom Meetings for details.
Disable "Join Before Host"
If you are scheduling a meeting where sensitive information will be discussed, it's best to leave Enable join before host turned off. (You can find the option under Meeting Options when scheduling a meeting.) Visit Zoom's Join Before Host help page for more information. It's strongly recommended that hosts also activate Only authenticated users can join when using this option.
The Join Before Host option can be convenient for allowing others to continue with a meeting if you are not available to start it, but with this option enabled, the first person who joins the meeting will automatically be made the host and will have full control over the meeting.
Another option is to assign an Alternative Host.
It's still possible for a meeting to start without you (the host) even if Join Before Host is disabled. If you have given someone Scheduling Privilege, which allows them to schedule meetings on your behalf, then when that person joins a meeting before you, the meeting will begin and they will be made the host. This is typically not a problem, as the recommendation to disable Join Before Host is based on preventing unwanted/uninvited participants from hijacking a meeting. After you join, the role of Host can be reassigned to you.
Meeting passcodes (previously called passwords) are now required. Passcodes are encrypted within the join meeting link and participants can join without entering it.
Attendees who only have the meeting number and not the full link that includes the passcode will need to enter this passcode to enter the meeting. You'll need to communicate your passcode to those attendees, or use a passcode known by them already.
Limit Screen Sharing to the Host
By default, screen sharing in Zoom meetings is limited to the host. You can change this if necessary to allow other attendees to share their screens. If you do make this change and decide to return to having screen sharing be limited to the host, while in your meeting:
- Click the next to Share Screen.
- Select .
- Under Who can share, click .
This won't be appropriate when multiple participants will need to share and collaborate, but this restriction prevents unwanted attendees from interrupting the meeting with intrusive sharing.
Meeting Security When Scheduling Zoom Meetings Using Your Outlook Calendar
If you add a Zoom meeting to your calendar using the Outlook Zoom add-in, the appointment text may include the full Zoom link including the encrypted Zoom meeting passcode. If you have set up your calendar so that it is open for all colleagues to view the details of your meetings, this can expose the ability to enter the meeting to anyone who views your calendar. You can protect the passcode by making the calendar entry private.
Remove a Participant from a Zoom Meeting or Webinar
If you have already begun a session and find an unwanted attendee has joined:
- If the Participants panel is not visible, click at the bottom of the Zoom window.
- Next to the person you want to remove, click .
- From the list that appears, click .
Lock Your Session
The Security icon menu lets hosts quickly and easily lock a meeting by clicking Lock Meeting there. Be aware that when a meeting is locked, no one else can join and you (the host or co-host) will NOT be alerted if anyone tries to join—so don't lock the meeting until everyone has joined.
If Zoombombing Abuse Does Occur
You should be aware of the emotional impact online abuse can have. Imagery that shows the violation of basic human rights (of adults or children) or targets a community is deeply troubling and can be traumatizing. Re-traumatization of victims of sexual violence, assault, or discrimination is also possible. There is also a risk of inappropriate exposure to children who are in the home environment of the remote worker. If an event is intended a child audience, consider recording the program instead of having it live.
If online abuse does occur (regardless of audience), do not pretend that it did not and power through the meeting—and never just advise participants to simply to look away. Rather, end the meeting swiftly and report the incident as soon as possible to Cornell Zoom Security at email@example.com.
Then, follow up by email or other media to the participants to:
- apologize for the abrupt ending;
- indicate what steps are being taken to prevent reoccurrence;
- express care and concern for the participants; and
- offer mental health resources that are available.