On This Page
Technology for Remote Work
How to Host a Secure Zoom Meeting and Prevent Zoombombing
Zoombombing occurs when a Zoom meeting link is exploited or hacked by bad actors seeking to disrupt meetings by posting pornographic or otherwise inappropriate images or video, hate speech, harassing commentary, threats, and other disruptive content. Nearly all Zoombombing incidents can be prevented if the Host configures Zoom settings appropriately for their meeting format.
Zoom has default settings that can be enabled and disabled by the Host prior to scheduling a meeting.
- Visit https://uci.zoom.us and log in to your account.
- Click on Settings
- Verify these key settings below (not all settings are listed here)
|Zoom Setting Name||Most Restrictive
|Configurable in Meeting
(Mixed / Blended)
|How can this setting be used in
|Chat (Public)||Off||On||Yes, if enabled
|Profanity, racial comments, and inappropriate disclosure of personal information can be shared publicly through chat.|
|Private Chat||Off||On||Yes, if enabled||Harassment, bullying, profanity, racial comments, and inappropriate feedback can be made through Private Chat.|
|File transfer (this feature is part of Chat)||Off||On||Yes, if chat is enabled||Viruses and offensive material can be distributed through file transfer.|
|Screen Sharing - Who can share?||Host Only||Host only||Yes||Offensive material can be displayed on the screens of all Participants.|
|Annotation||Off||On||Yes, if enabled||During a screen share, offensive drawings and disruptive annotations can be displayed on screens of all participants.|
|Allow removed Participants to rejoin||Off||On||No||If On, Participants who are intentionally “Removed” can rejoin again from the same computer/device.|
|Waiting Room||Enabled for Guest Participants Only||Disabled||It Depends
(This feature can be enabled at the time of scheduling the meeting or in the meeting itself.)
|For classes, the Waiting Room should be enabled for Guest Participants and when scheduling each class check “Enable Waiting Room.” All students, TAs, and Instructors have a UCI Zoom account and will immediately be granted access while Guest Participants (who are not authenticated) will be held in the Waiting Room until invited in the room.
For public events, Waiting Room is not needed.
Zoom has default settings that can be enabled and disabled by the Host prior to scheduling a meeting. If a feature will never be used, disable it in default settings. If a feature will definitely be needed for most meetings, enable it in settings AND manage the feature at the start of every meeting.
There is no single list of settings applicable to all meeting formats. More information on Zoom Settings: https://support.zoom.us/hc/en-us/articles/115005756143-Changing-your-meeting-settings
- Visit https://uci.zoom.us/ and log in.
- Go to Meetings and select “Schedule a New Meeting”
|Zoom Setting||Recommended Setting||More Information|
|Registration||On if your meeting has no authentication or sign-up||If your meeting has no authentication or sign-up (external survey), you can require registration to have more accurate data on valid Participants.
This feature prompts participants for First name, Last Name, Email Address, Confirm Email Address, and a ReCAPTCHA check. All information is required from all Participants before entry is granted.
|Meeting ID||Generate Automatically||Never use a Personal Meeting ID. It is too easy to guess and can be an easy target for bad actors to repeatedly interrupt the same Host.|
|Meeting Password||Checked or Unchecked||If checked, this setting is combined with “embed password in meeting link for one-click join.” You do not need to share the password with users, just share URL and the password will be encrypted and included.|
|Video||Host Off and Participant Off||Do not start video automatically; instead, allow everyone to activate video when they are ready.|
|Audio||Both||Telephone and Computer Audio.|
|Enable join before host||Unchecked||Do not allow Participants into the meeting until you are able to Host|
|Mute participants upon entry||Checked||Make sure all Participants are muted upon entry.|
|Enable waiting room||Checked or Unchecked||If all Participants have a UCI Zoom account or if the meeting is for instruction, you can leave this feature checked.
If the meeting is public or Participants will not have a UCI Zoom account, leave this feature unchecked. It is not necessary to combine this feature with “Only authenticated users can join”.
|Only authenticated users can join||Checked (UCI Accounts) or Unchecked (Public)||If all Participants have a UCI email account OR an account on another UCI-affiliated Zoom service such as UCI-Hipaa Zoom, UCI Health Sciences Zoom, Merage Zoom, UCI Law Zoom, etc. you can leave this feature checked.
If the meeting is public or Participants will not have a UCI email account, leave this feature unchecked. It is not necessary to combine this feature with “Enable Waiting room”
|Record the meeting automatically||Checked||Encouraged|
|Alternative Hosts (email addresses)||Add UCI email addresses of alternative hosts||If you are scheduling this meeting on behalf of someone else, it is essential that you add all speakers as Alternative Hosts. These are people who can present, screen share, configure in-meeting settings, keep an eye on Participants, and limit access to features. Alternative Hosts must have a UCI Zoom account or they cannot be added. During the meeting, the Host or Alternative Host can assign any user the role of Co-Host. While the Co-Host feature set is limited, they can still help moderate.|
Get the latest Zoom Client
It is a good idea to frequently visit https://uci.zoom.us/download and grab the latest Zoom Client for Meetings (the minimum recommended version is 5.0.0). Some client updates and bug fixes are available for download but not communicated to users while more significant enhancements or security fixes do force a notification to appear for an optional upgrade to the client.
More information on scheduling Zoom meetings: https://support.zoom.us/hc/en-us/articles/201362413-Scheduling-meetings
When your meeting begins and Participants are entering, quickly make the following changes to your settings:
Press the Participants button to open the side menu, then press More (on the bottom right).
- Check Mute Participants upon Entry.
- Uncheck Allow Participants to Unmute Themselves.
- Uncheck Allow Participants to Rename Themselves.
- Press the “Mute All” button next to the More menu
Press the Chat button, then press the 3 dots icon (...)
- Unless you have authentication on your meeting, it’s recommended to select No One or Host only.
Limit Screen Sharing
On the right side of Share Screen, press the icon then press Advanced Sharing Options.
- Check “One participant can share at a time”
- Check “Only Host” - This setting is VERY important. If you check “All Participants,” someone can display inappropriate images or videos to all meeting participants.
- If you wish to allow participants to share their screen during the meeting, press the Participants button, locate the individual, press the More button, and Make Co-Host.
When they are done sharing the screen, return to the same menu, and press Withdraw Co-Host Permission.
When Screen Share is used, if you enabled the Annotate feature in settings, immediately press More then “Disable Attendee Annotation.” This will prevent Participants from drawing on your screen.
This setting can also be disabled after Screen Share begins by pressing the Security button and unchecking “Annotate on Shared Content”
Report a Zoombombing Event
A Zoom Meeting is designed to show all Participants on the screen throughout the presentation. As such, there are a few things to keep in mind. A user may have an inappropriate Virtual Background. A user may be making inappropriate gestures. A user might have roommates, partners, or spouses who are inappropriately dressed. There is no setting in Zoom Meetings to globally disable the video from all users. As such, it’s best to have an Alternate Host (assigned before the meeting) or a Co-Host (assigned during the meeting) who can quickly identify any users with inappropriate video and disable their ability to show a video during the meeting.
Stopping Video of a Participant
Removing a Participant
Should a participant need to be removed from your meeting. The fastest way is to use the new Security button. If you do not have this button, upgrade your Zoom Client for Meetings by visiting https://uci.zoom.us/download
If you know the name of the individual, press the Security button, and select Remove Participant. A list of all Participants will appear on the right. Select Remove next to any Participants and press OK.
You can also remove someone while in Gallery View
Before ending your meeting and even if you used Remove on several users, if you wish to Report individuals to Zoom, press the Security button then press Report… Select the name or names of users from a dropdown list and complete the form. On the bottom, press Send. Please note that these reports are sent only to Zoom’s Trust & Safety team. Consequently, these reports are not shared with UCI Zoom campus admins or any other UCI affiliates. Reporting a user in this way does NOT initiate any form of investigation or other action by UCI staff.
Report disruptions to UCI
If the incident involves UCI students or if the interruption may include a criminal act, please email TechPrep@uci.edu with the meeting ID and any details you can provide. This information will be investigated and turned over to UCI Security, Dean of Students, and/or the UCI Police Department as appropriate under campus policies and relevant legal requirements.
More information on Managing Participants in a Zoom meeting:
While most Zoom-Bombing incidents are disruptive pranks, some can be extremely graphic, including violence, sexual assault, and racial comments. These images, texts, and spoken words may be highly troubling to Hosts and Participants, who may benefit from timely professional assistance.
If you are an employee and would like to speak about a Zoom incident, please reach out to the Employee Assistance Program: http://wellness.uci.edu/facultystaff/eap/introduction.html
If you are a student and would like to speak about a Zoom incident, please reach out to the UCI Counseling Center: https://counseling.uci.edu/
“Zoombombing” is the exploitation of publicized or hacked Zoom links combined with misconfigured user settings designed to interrupt live conferencing with the posting of pornographic or otherwise inappropriate images or video, hate speech, harassing commentary, threats, and other disruptive content. This can be initiated by one individual, a small group, or a coordinated global attack typically activated when a Zoom link is posted on a public forum or twitter account monitored by bad actors.
The good news is that nearly all Zoombombing incidents can be prevented if the Host configures Zoom settings appropriately for their meeting format. For example, the Host of a small collaborative meeting (where Participants are all known to each other) may encourage everyone to chat publicly and privately, exchange files through chat, allow everyone to freely share their screens and annotate, or enable microphones to go on and off at any time. In contrast, the Host of a public meeting (where Participants are not known to each other), would likely need to have a number of limitations in place so the presentation doesn’t get interrupted and other Participants aren’t distracted by inappropriate actions.
The challenge is in allowing certain Zoom features to be enabled given the meeting format AND for every Host to have a proper understanding of Zoom settings so they can 1) lock down specific features until they are needed, and 2) quickly halt interruptions when they arise.
For instruction and meetings where everyone has a UCI Zoom account, we encourage the Host to enable the Waiting Room option for Guest Participants only. This allows authenticated UCI Zoom accounts to immediately join the meeting while all other users are left in the Waiting Room until expressly permitted by the Host, Co-Host, or Alternate Host. A second option for meetings is to enable “Only authenticated users can join” where anyone who has a uci.edu email address will immediately get into the meeting while all others are prevented from joining. This is a good option when all Participants have a UCI email account OR an account on another UCI-affiliated Zoom service such as UCI-Hipaa Zoom, UCI Health Sciences Zoom, Merage Zoom, UCI Law Zoom, etc. Once your meeting requires users to be logged in, the scope of interruptions is limited to a smaller set of Participants.
In some cases (such as public meetings), the requiring of authentication is not possible. Here are some ways you can evaluate the risk of your Zoom configuration for your Zoom event.
|Risk of Zoombombing||Description||Impact|
|Low Risk||Immediate entry is given to authenticated users while guests are either moderated (Waiting Room) or denied entry (Only authenticated users can join).||UCI affiliated audiences are less likely to interrupt the presentation. We recommend this approach for instruction.|
|Medium Risk||In meetings where authentication is not possible, one approach is to restrict the meeting URL by using a sign-up sheet (external survey for registration). This allows reminder notices to be sent in advance and the direct sharing of a meeting link one or two days prior with a limited number of Participants.||By limiting the distribution of the meeting link to only those individuals who register, there will be less opportunity for bad actors to interrupt the meeting. Locking down all collaborative features is still recommended.|
|High Risk||In some cases, it is necessary to advertise the meeting link in a Zotmail, on a poster, in a press release, etc. When this is absolutely required, it is essential that steps be taken to lock down all collaborative features.||There are bad actors who search for advertised meeting links, share with friends, post on twitter and forums, then attempt to exploit Zoom collaborative meeting settings with intent to disrupt.|