Zoom Service Hardening Guide

WRITTEN BY

Eugene Tkachenko

Community Program Lead

[post-views]

April 06, 2020 · 7 min read

Table of contents:

Intro

This is a practical guide based on Zoom and CheckPoint recommendations crafted with common sense and Zoom usage specific in our Company, aka work from home (WFH) activity as every company in the world now and sales / pre sales activities as a vendor.

Due to the specific nature of our business, in addition to hardening, we do what we are doing the best, we have developed threat detection analytical content for SIEMs based on Zoom reports available over API, proxy logs and workstation logs.

Tiered Approach

All configurable zoom settings can be controlled at 3 levels. Hierarchical inheritance in place:

Account level (“default” or “locked” state)
Group level (“default” or “locked” state)
User level (“default” state)

Default settings – recommended but could be changed by a user. If a setting is changed at the account level, that becomes the default setting for all groups and users in the account unless the setting had been previously changed by a group or user.

Locked settings – obligatory and couldn’t be changed by a user. Each setting can be locked at either the account level or the group level. Locking a setting at the account level means that the setting cannot be changed by any user. Locking the setting at the group level means that members of the group cannot change the setting.

Tech Tips

For each group that requires different settings, navigate to Group Settings > group_name > Settings.
To Lock settings at account or group level – click the Lock icon to the right of the option name.

First of all, user groups should be identified based on way of working, internal communication specific and company business specific. As for now we have identified following (yes, this not a constant, we are growing, we are changing):

“Vanguard” – Sales / Presales role, communicate all over the world, maximum recommended options, minimum restrictions to be more flexible and reach out to all possible clients and customers. All associated risks covered by proper awareness activity and training on how to mitigate crashers activity by Zoom meeting controls.
“Rearward” – Internal staff role, communicate inside the company as part of work from home activity, one to one, one to many, instant meetings, scheduled stand-ups etc. Communication with the external world is limited. Maximum restrictions and less extensive awareness activity.
“Rooms” – a role for accounts identified to support internal communication processes, like continuously open rooms etc. Specific restrictions.
“Special” – role reserved for any possible special requirements. Minimum restrictions. should not be used in a continuous way.

Account-level settings

In details:

Join before host – disabled default
Use Personal Meeting ID (PMI) when scheduling a meeting – disabled
Use Personal Meeting ID (PMI) when starting an instant meeting – disabled
Only authenticated users can join meetings – enabled default
Require a password when scheduling new meetings – enabled locked
Identify guest participants in the meeting/webinar – enabled locked
Require a password for instant meetings – enabled locked
Require a password for Personal Meeting ID (PMI) – enabled locked
Require a password for Room Meeting ID (for Zoom Rooms only) – enabled locked
Embed password in meeting link for one-click join – enabled default
Chat – enabled default
File transfer – disabled locked
Allow host to put attendee on hold – enabled locked
Screen sharing – enabled default
1. Who can share? – All Participants
2. Who can start sharing when someone else is sharing? – Host Only
Annotation – enabled default
Whiteboard – enabled default
Remote control – enabled default
Allow removed participants to rejoin – disabled locked
Remote support – disabled default
Closed captioning – disabled default
Save Captions – disabled default
Far end camera control – disabled locked
Blur snapshot on iOS task switcher – enabled locked
Local recording – enabled locked
1. Hosts can give participants the permission to record locally – off
Automatic recording – disabled locked
IP Address Access Control – enabled locked
Only authenticated users can view cloud recordings – enabled locked
Recording disclaimer – enabled locked

Group level settings

“Vanguard” group level settings

Join before host – disabled locked
Use Personal Meeting ID (PMI) when scheduling a meeting – disabled locked
Private chat – disabled default
1. Can be enabled if required for technical communication of host, co-host, etc.
Co-host – enabled default
Show a “Join from your browser” link – enabled default
Waiting room – enabled locked

“Rearward” group level settings

Join before host – disabled locked
Use Personal Meeting ID (PMI) when scheduling a meeting – disabled locked
Only authenticated users can join meetings – enabled locked
Private chat – disabled locked
Remote control – disabled locked
Waiting room – enabled locked
Remote support – disabled locked

“Rooms” group level settings

Join before host – enabled default
Waiting room – disabled default

Account Security Settings

We have made a decision to use Google for authentication, where we already have password enforcements, 2FA and additional controls in place.

Sign-in methods

Allow users to sign in with Google: enabled
Allow users to sign in with Facebook: disabled

Security

Only account admin can change users’ name, picture, email, and host key: disabled
Only account admin can change pro users’ PM ID and Personal Link Name: disabled

User need to input Host Key to claim host role with the length of: 10

General and common sense recommendations

When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.
Avoid using your Personal Meeting ID (PMI) to host public events. PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over. Generate a random meeting ID for meetings where possible.
According to the research (5), Zoom meeting hosts don’t even have to send out a public link for users to participate in their meetings. Always require a password to join.
If really required, share random meeting IDs via social networks but send a password by a direct message.
Never try to open URL links or pictures sent over the Chat.
Setup proper authentication at account level, Google, Local Passwords with proper controls in place, SAML, 2FA, use authentication relevant to your corporate security policy.
Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. How to mute, how to turn off video for participants, to put attendees on hold, etc.
Configure logs collection from your Zoom account to your SIEM and establish alerting / monitoring mechanisms.
Logs collection from your proxy server and EDR is mandatory for today’s threat landscape. Just cover zoom specific attacks via these logs.

Content to detect Zoom related attacks

Possible Zoom Bad Domains (via proxy) – https://tdm.socprime.com/tdm/info/MrDuoDkETUIP/

Possible Zoom Bad Domains (via dns) – https://tdm.socprime.com/tdm/info/TWstmhIEa1oA/

Possible Zoom Binary Abuse (via cmdline) – https://tdm.socprime.com/tdm/info/BMUtqKem63oL/

Possible NTLM Credential Leak via Unwanted External UNC Path (via cmdline) – https://tdm.socprime.com/tdm/info/i71EA49sF8jW/

References

———————————-

Was this article helpful?

Like and share it with your peers.

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free Book a Meeting

Blog, SOC Prime Platform — 3 min read

SOC Prime on Discord: Join a Single Community for All Cyber Defenders to Benefit from Shared Expertise

Veronika Telychko

Blog, Latest Threats — 3 min read

CVE-2022-29108 Detection: Newly Discovered Flaw in Microsoft SharePoint Server

Anastasiia Yevdokimova

Blog, Latest Threats — 4 min read

The Future of Threat Detection is the Community

Alla Yurchenko

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.

Zoom Service Hardening Guide

Intro

Tiered Approach

Tech Tips

Account-level settings

Group level settings

Account Security Settings

General and common sense recommendations

Content to detect Zoom related attacks

References

Table of Contents

Was this article helpful?

Related Posts

Zoom Service Hardening Guide

Intro

Tiered Approach

Tech Tips

Account-level settings

Group level settings

Account Security Settings

General and common sense recommendations

Content to detect Zoom related attacks

References

#ez_toc_widget_sticky-2 .ez-toc-widget-sticky-container ul.ez-toc-widget-sticky-list li.active{ background-color: #ededed; } Table of Contents

Was this article helpful?

Related Posts

Table of Contents