Best Practices for Video Conferencing

Summary

There are multiple options available in the marketplace at support distance learning and online video conferencing.   When using these options, teachers, staff, and students – or anyone who is in a host role – must ensure they follow best practices for providing a safe and secure platform for all parties to use.  While the department does not advocate for any particular platform, our recommendation is for districts to use an enterprise application that ensures teacher’s and student’s privacy and protection and that can be secured using district’s existing privacy and access control.  

Best Practices

There has been a significant increase in the attempted hacking of video conferencing platforms as more institutions have moved to an online learning platform. As such, the providers of these platforms have provided recommended best practices for securing these platforms.  Below is an overview of these best practices.  For further details, please visit the platform providers security sites.

Microsoft Teams:

  • Do not allow Anonymous Users to join meetings. This will prevent unauthorized users who are not part of your classroom setting to join an online class.
  • Hold non-organizational users in the “lobby” until the host lets the attendee enter. The host will see a notification when attendees are waiting in the lobby and as the host, you will authorize the attendees to join.
  • Require attendees to announce themselves when joining a meeting.
  • Do not allow attendees or panelists to join before host.
  • Expel users from meetings when necessary.
  • Use the scheduled meetings functions.  Disable the “Meet Now” function for classrooms.
  • Review your communication compliance settings to monitor for offensive language and/or sensitive information policies         
  • Configured “structured meetings” where presenters/teachers can do anything that should be done, but students/attendees can have a controlled experience.·         
  • Customize your meeting invites, so users know meeting links are legitimate        
  • Share an Application instead of sharing your Screen to prevent accidental exposure of sensitive information on your screen. Ex. Microsoft Office products, Web browsers, etc.
  • Secure your Audio PIN for host if using dial-in functionality only. 

Webex:

  • Auto Lock Personal Room for secure meetings. This prevents all attendees in your lobby from automatically joining in the meeting. 
  • Set Personal Room Notifications before a Meeting to receive an email notifications when attendees are waiting for a meeting to begin. 
  • Schedule a Meeting instead of using your Personal Room. Personal Rooms web links do not change. Improve security by scheduling a meeting which includes a one-time web link.
  • Set a password for every Meeting by creating a high-complexity, non-trivial password (strong password). A strong password should include a mix of uppercase and lowercase letters, numbers and special characters (for example, $Ta0qedOx!). Passwords protect against unauthorized attendance since only users with access to the password will be able to join the meeting.
  • Do not reuse passwords for meetings. Scheduling meetings with the same passwords weakens meeting protection considerably. 
  • Use Entry or Exit Tone or Announce Name Feature to prevent someone from joining the audio portion of your meeting without your knowledge.
  • Do not allow attendees or panelists to join before host.
  • Assign an alternate host to start and control the meeting. This keeps meeting more secure by eliminating the possibility that the host role will be assigned to an unexpected, or unauthorized, attendee, in case you inadvertently lose your connection to the meeting. One or more alternate hosts can be chosen when scheduling a meeting. An alternate host can start the meeting and act as the host. The alternate host must have a user account on your Webex Meetings website. 
  • Lock the meeting once all attendees have joined the meeting. This will prevent additional attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in progress.
  • Expel Attendees at any time during a meeting.
  • Share an Application instead of sharing your Screen to prevent accidental exposure of sensitive information on your screen. Ex. Microsoft Office products, Web browsers, etc.
  • Set password for your recordings before sharing them to keep the recording secure. 
  • Delete recordings after they are no longer relevant.
  • Create a Host Audio PIN. Your PIN is the last level of protection for prevention of unauthorized access to your personal conferencing account. 

Zoom: 

  • Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screensharing options. In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Do not use Facebook to sign in: It might save time, but it is a poor security practice and dramatically increases the amount of personal data Zoom has access to.
  • Use two devices during Zoom calls: If you are attending a Zoom call on your computer, use your phone to check your email or chat with other call attendees.
  • Don't use your personal meeting ID for meetings. A Zoom Personal meeting ID is the same as a Personal Room meeting in WebEx.
  • Consider turning on the “waiting room” for your meeting so that you can scan who wants to join before letting everyone in.
  • If you don't want participants to join/interact before the host enters, uncheck "Join Before Host". Set an alternate host if you need a backup host.
  • Disable "Allow Removed Participants to Rejoin" so that participants who you have removed from your session cannot re-enter.
  • Disable "File Transfer" unless you know this feature will be required.
  • Disable annotation if you don't need it.