Changes Coming to Zoom Default Settings to Increase Security

Zoom is the tool of choice for staying connected during social distancing, and not just at Ohio State. You’ve likely heard stories from national and global news outlets related to security concerns, and with so many users on the tool right now, it’s no surprise hackers are taking advantage of the situation.

At Ohio State, we are constantly working to make our Zoom meetings and virtual classrooms safer. Between spring and summer semesters, we will be making a few changes to the default settings within Zoom to better protect our students, faculty and staff. These settings were carefully chosen to ensure your security while maintaining the usability of the tool.

On Tuesday, May 5, between 5 and 8 p.m., the following changes will be made to the default meeting settings in CarmenZoom:

1. Meetings will require a password by default. These passwords will be embedded in the meeting URL by default.
2. Annotations will not be available to participants by default.
3. The ability to join a meeting before the host or alternate host joins will be disabled by default.
4. Participants will not be able to change their names by default.
5. Recorded meetings will remain in the Zoom cloud for 270 days (increased from 180).

These changes to default settings will affect any new meetings you create in Zoom. Existing meetings scheduled through Zoom will not be affected, and these new default settings will not override any changes you've made to your personal settings.

Think of these default settings like wearing a helmet when you ride a bike. They are designed to protect you, and removing those protections opens you up to risks. If you choose to alter some of these settings (for example, to allow participants to change their names), it may be harder for Ohio State to look into a situation and identify the offenders in the case of a Zoom bombing attack.

It is strongly recommended that you take advantage of the default passwords for meetings. Passwords create an additional layer that hackers must work to breach. While passwords will be embedded in meeting links by default, you can choose to turn off this setting and send a password to your participants separately. If you are using the Canvas integration to schedule Zoom meetings with your students, you should leave the password embedded in the link.

You may have noticed that recordings in the Zoom cloud already require a password. This security feature will remain. Unlike meeting passwords, recording passwords cannot be embedded within the link for the recording. If you are using the Zoom integration within CarmenCanvas, your students won’t need a separate password; when clicking to view the cloud recording, the password will be copied to the clipboard for them to paste when prompted, allowing them easy access directly from your Carmen course.

For even more control over your meetings, we strongly encourage you to enable the waiting room and require Ohio State authentication when all participants will be affiliated with the university. Learn more about Zoom security recommendations in the ODEE Resource Center. It is also important to note, Zoom should not be used for conversations that involve restricted (S4) data. Learn more easy, secure tips to working remotely at cybersecurity.osu.edu.

Our security experts are also working directly with Zoom to ensure university data stays within known, safe servers. In addition, Ohio State Chief Information Security Officer, Helen Patton, is now part of Zoom’s CISO Advisory Board to help steer the conversation at Zoom to ensure the security needs of universities like ours are met.