Zoom Security Best Practices

KB0011348

Zoom Meetings
Zoom Security Best Practices

UVA Zoom recordings are deleted 180 days after they are saved to the Zoom cloud. If you wish to save Zoom cloud recordings before their deletion date, you must download and save the files to an alternate location.

Recommended Zoom Settings & Actions

To update an existing meeting with these recommended settings, see How to Edit Zoom Settings below.

Avoid posting your Zoom meeting links on public websites, social media, or other public forums. The most secure option is to have participants access your Zoom sessions through UVACollab or other learning management systems that are behind NetBadge. You can also send email or calendar invites directly to your attendees and include the meeting link.

If you have a Zoom account, you are assigned a static 9-digit meeting ID known as your personal meeting room. This room is always active making it more susceptible to access by uninvited guests.

How to Change Your Zoom Settings to Avoid Using Your Personal Meeting Room:

  • If you access Zoom via Collab to schedule meetings:
    • Make sure the "Use Personal Meeting ID" option is unselected.
  • If you log directly in to Zoom to schedule meetings:
    • Click "Settings" and toggle OFF the option to use the Personal Meeting ID (PMI) when scheduling a meeting.
      toggle personal ID Off

Hosts can turn on the "Only authenticated users can join" setting to restrict individual meetings to users who are logged in to a UVA Zoom account (virginia.edu, uvawise.edu, darden.virginia.edu, comm.virginia.edu, law.virginia.edu, uvimco.org, eservices.virginia.edu, or goog.email.virginia.edu).

To use this feature, Hosts must turn on the setting for each individually scheduled Zoom meeting.

To turn on the setting for an individual meeting:

  • In "virginia.zoom.us", this setting is found under "Meeting Options" when scheduling a meeting. In the Zoom Desktop Client or app, this setting is found under "Advanced Options" when scheduling a meeting. This setting is also available when editing a previously scheduled meeting that has not yet started.
    • Check "Only authenticated users can join". In the drop-down list, select "All virginia.edu Domains" to restrict the meeting to the UVA Zoom accounts listed above.
    • To edit this list, select "Edit" and change the list of restricted domains (e.g., add jmu.edu user access, remove uvawise.edu access).
      Only authenticated users can join

If an uninvited participant joins after you start a Zoom session and is disruptive, you should remove them.

However, it is important to note that some students may be joining sessions as guests, so Hosts should be sure to identify these students before removing anyone. If you are teaching a class via Zoom, it could be helpful to provide co-hosts with a class roster, so they can help monitor the list and remove any unwanted participants while you are occupied leading the Zoom session.

Users who did not log in to Zoom when they joined the session will appear as "(Guest)", as shown in the screenshot below. The Zoom setting to identify guests is enabled by default, but if you've changed it, see the Zoom's Identify Guest Participants page.

How to Remove an Uninvited Participant:

If an uninvited guest joins the session and is disruptive, click Manage Participants at the bottom of the Zoom window. In the Participants panel, click the More button next to the person you want to remove. From the list that appears, click Remove.
remove a participant

By default, Zoom allows only the host to share their screen. If you have changed this setting, you can change it back and then allow participants to share on a case-by-case basis.

To allow a participant to share his/her screen during a meeting, the host can

  1. Select the arrow next to Share Screen and click Advanced Sharing Options.
  2. Under Who Can Share? choose All Participants.
    screen share button

When hosting large events, ITS recommends using Zoom webinars instead of Zoom meetings. Zoom webinars offer more controls for a higher degree of security, including view-only attendees (disabled mic and video), disabled screensharing for attendees, and optional, customizable preregistration for events.

If your department does not already have one, you will need to request a Zoom Webinar license through
zoom-service@virginia.edu.

  • Notes for hosting Zoom Webinars (or streaming Zoom Meetings to YouTube or Facebook Live):
    • Please be aware that anything streaming to an outside service is presumed to be public data. Once the data leaves Zoom and streams to another platform, there is no assurance that it will be protected.
    • Webinar users should disable chat. Q&A is fine, but the chats can be sent to the entire audience, and could be misused or reveal information that should not be made public.

For a full comparison of Zoom meetings and Zoom webinars, see Zoom's Meeting and Webinar Comparison page.

For classes which were transitioned from in-person to virtual instruction, faculty members are permitted to make recordings (audio or video) that only include their voice and image. Such recordings are not considered an educational record under the Family Educational Rights and Privacy Act (FERPA). If a recording includes students, it is permissible provided that the faculty member:

  1. Informs students that a recording is being made, and for what reason(s) the recording may be reviewed, and by whom.
  2. Limits access to the recording to other students currently enrolled in the same class. This is best done within the Learning Management System (LMS) of the course.
  3. Reminds students that capturing or copying of the recording by any means, and sharing with others, violates University policy and is prohibited. Students violating this prohibition may face honor or disciplinary actions.

*Note: Please be aware of University Policy PROV-008: Teaching Courses for Academic Credit, which states that when determined by the Student Disability Access Center (SDAC) as an accommodation, recording of classroom lectures is deemed an exception to the prohibition of recording. However, the prohibition of distribution does apply.

How to Edit Zoom Settings for an Existing Meeting

  1. Launch UVACollab
  2. Log in and open your class.
  3. Select Online Meetings in the left navigation.
  4. Click on the meeting under "Topics."
  5. Click the Edit this Meeting button at the bottom of the page.
  • Log in to Zoom
  • To edit an existing meeting, click Meetings in the left navigation.
  • To update any Zoom setting, click Settings in the left navigation.

Zoom Privacy & Security Statement

There have been a number of news articles published recently regarding security and privacy concerns with Zoom.  Primarily, they relate to “Zoom Bombing”, in which Zoom meetings can be interrupted by bad actors gaining entrance to meetings, however, they also include other security concerns.  We continue to support use of Zoom at UVA at this time, and we believe that mitigating factors either in place or which may be put in place can reduce risk substantially:

  • UVA has an enterprise license, which allows us to configure our environment to implement Zoom security best practices for UVA users.
  • Transmission and/or storage of highly sensitive data (HSD) is not allowed in Zoom.
  • Zoom is aware of security issues and has been fixing them quickly. As Zoom client software updates become available, users are prompted to update their client. Users are strongly encouraged to implement these updates.
  • Strong end-to-end encryption, while desirable, is not currently in place for Zoom.  Zoom uses a form of encryption that is not the strongest available, but it uses the same encryption as other competing products.  For a frame of reference, Zoom is more secure than basic telephone conference calls.  Zoom is actively looking into this issue and is expected to address it soon.
  • Zoom’s default configuration now turns off screen sharing for everyone except the meeting host. This setting can be changed to allow screen sharing by all participants, if needed, but it remains under the control of the meeting host and can be turned back off, if desired.
  • Starting April 6, UVA Zoom users were able to limit meeting participants to those with a UVA Zoom account, if desired.
  • There are many other user-controlled best practice settings users may implement that mitigate the risk of unwanted participants, including:
    • Do not share Zoom meeting links publicly.
    • Do not use your personal Zoom ID for meetings, but instead use a randomly generated Zoom ID, which is harder for bad actors to guess.
    • Monitor participants and remove uninvited/unwanted participants.
    • Do not allow meeting participants to join prior to the host starting the meeting.
    • Require a password to join the meeting.
    • Control screen sharing.
    • Lock the Zoom meeting once all desired participants have joined.  However, using this option can block legitimate participants from re-entering the meeting if they accidentally drop off.
    • For large events, consider using Zoom Webinars, which allow greater control of participants.

If you have further questions after reading the guidance on this webpage, contact it-security@virginia.edu.

For additional security options, see Zoom's Blog page.

Short URL for the page: https://in.virginia.edu/zoom-security

Last Updated: April 25, 2024