This is a practical guide based on Zoom and CheckPoint recommendations crafted with common sense and Zoom usage specific in our Company, aka work from home (WFH) activity as every company in the world now and sales / pre sales activities as a vendor. 

Due to the specific nature of our business, in addition to hardening, we do what we are doing the best, we have developed threat detection analytical content for SIEMs based on Zoom reports available over API, proxy logs and workstation logs. 


Tiered Approach


All configurable zoom settings can be controlled at 3 levels. Hierarchical inheritance in place:

  • Account level (“default” or “locked” state)
  • Group level (“default” or “locked” state)
  • User level (“default” state)

Default settings – recommended but could be changed by a user. If a setting is changed at the account level, that becomes the default setting for all groups and users in the account unless the setting had been previously changed by a group or user.

Locked settings – obligatory and couldn’t be changed by a user. Each setting can be locked at either the account level or the group level. Locking a setting at the account level means that the setting cannot be changed by any user. Locking the setting at the group level means that members of the group cannot change the setting. 


Tech Tips

  • For each group that requires different settings, navigate to Group Settings > group_name > Settings. 
  • To Lock settings at account or group level – click the Lock icon to the right of the option name.


First of all, user groups should be identified based on way of working, internal communication specific and company business specific. As for now  we have identified following (yes, this not a constant, we are growing, we are changing):

  1. “Vanguard” – Sales / Presales role, communicate all over the world, maximum recommended options, minimum restrictions to be more flexible and reach out to all possible clients and customers. All associated risks covered by proper awareness activity and training on how to mitigate crashers activity by Zoom meeting controls.
  2. “Rearward” – Internal staff role, communicate inside the company as part of work from home activity, one to one, one to many, instant meetings, scheduled stand-ups etc. Communication with the external world is limited. Maximum restrictions and less extensive awareness activity. 
  3. “Rooms” – a role for accounts identified to support internal communication processes, like continuously open rooms etc. Specific restrictions. 
  4. “Special” – role reserved for any possible special requirements. Minimum restrictions. should not be used in a continuous way.  


Account-level settings

In details:

  1. Join before host – disabled default
  2. Use Personal Meeting ID (PMI) when scheduling a meeting – disabled
  3. Use Personal Meeting ID (PMI) when starting an instant meeting – disabled
  4. Only authenticated users can join meetings – enabled default
  5. Require a password when scheduling new meetings – enabled locked
  6. Identify guest participants in the meeting/webinar – enabled locked
  7. Require a password for instant meetings – enabled locked
  8. Require a password for Personal Meeting ID (PMI) – enabled locked
  9. Require a password for Room Meeting ID (for Zoom Rooms only) – enabled locked
  10. Embed password in meeting link for one-click join – enabled default
  11. Chat – enabled default
  12. File transfer – disabled locked
  13. Allow host to put attendee on hold – enabled locked
  14. Screen sharing – enabled default
    1. Who can share? – All Participants
    2. Who can start sharing when someone else is sharing? – Host Only
  15. Annotation – enabled default
  16. Whiteboard – enabled default
  17. Remote control – enabled default
  18. Allow removed participants to rejoin – disabled locked
  19. Remote support – disabled default
  20. Closed captioning – disabled default
  21. Save Captions – disabled default
  22. Far end camera control – disabled locked
  23. Blur snapshot on iOS task switcher – enabled locked
  24. Local recording – enabled locked
    1. Hosts can give participants the permission to record locally – off
  25. Automatic recording – disabled locked
  26. IP Address Access Control – enabled locked
  27. Only authenticated users can view cloud recordings – enabled locked
  28. Recording disclaimer – enabled locked


Group level settings

“Vanguard” group level settings

  1. Join before host – disabled locked
  2. Use Personal Meeting ID (PMI) when scheduling a meeting – disabled locked
  3. Private chat – disabled default
    1. Can be enabled if required for technical communication of host, co-host, etc.   
  4. Co-host – enabled default
  5. Show a “Join from your browser” link –  enabled default
  6. Waiting room – enabled locked


“Rearward” group level settings

  1. Join before host – disabled locked
  2. Use Personal Meeting ID (PMI) when scheduling a meeting – disabled locked
  3. Only authenticated users can join meetings – enabled locked
  4. Private chat – disabled locked
  5. Remote control – disabled locked
  6. Waiting room – enabled locked
  7. Remote support – disabled locked


“Rooms” group level settings

  1. Join before host – enabled default
  2. Waiting room – disabled default


Account Security Settings


We have made a decision to use Google for authentication, where we already have password enforcements, 2FA and additional controls in place.


methods

  1. Allow users to sign in with Google: enabled
  2. Allow users to sign in with Facebook:  disabled


  1. Only account admin can change users’ name, picture, email, and host key: disabled
  2. Only account admin can change pro users’ PM ID and Personal Link Name: disabled

User need to input Host Key to claim host role with the length of: 10


General and common sense recommendations


  • When you share your meeting link on social media or other public forums, that makes your event … extremely public. ANYONE with the link can join your meeting.
  • Avoid using your Personal Meeting ID (PMI) to host public events. PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over. Generate a random meeting ID for meetings where possible.
  • According to the research (5), Zoom meeting hosts don’t even have to send out a public link for users to participate in their meetings. Always require a password to join.
  • If really required, share random meeting IDs via social networks but send a password by a direct message.
  • Never try to open URL links or pictures sent over the Chat.
  • Setup proper authentication at account level, Google, Local Passwords with proper controls in place, SAML, 2FA, use authentication relevant to your corporate security policy.
  • Familiarize yourself with Zoom’s settings and features so you understand how to protect your virtual space when you need to. How to mute, how to turn off video for participants, to put attendees on hold, etc.
  • Configure logs collection from your Zoom account to your SIEM and establish alerting / monitoring mechanisms.
  • Logs collection from your proxy server and EDR is mandatory for today’s threat landscape. Just cover zoom specific attacks via these logs.  


Content to detect Zoom related attacks


Possible Zoom Bad Domains (via proxy) –

Possible Zoom Bad Domains (via dns) –

Possible Zoom Binary Abuse (via cmdline) –

Possible NTLM Credential Leak via Unwanted External UNC Path (via cmdline) –




Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts