Programs like Skype were once a useful tool that many organizations used in their workflows for convenience's sake. Now in the post-pandemic era, Skype is gone, and mainstream video conferencing platforms like Zoom and Microsoft Teams are being used daily in many organizations. As with any tool that uses the Internet for its functionality, video conferencing platforms can run into security issues if not properly configured. During the pandemic, we saw a popular trend called "Zoom-bombing," where individuals passed the time by entering random unsecured meetings and trolling them, often filming the reactions of the participants. While these attacks are on the lighter side of cyber threats, organizations need to be wary of the reputational and operational risks that come with unsecured video meetings. It is recommended that you perform an audit on all instances of your video conferencing tools and implement the security hardening measures listed below if they are absent. This documentation includes checklists for Zoom, Microsoft Teams, and Google Meets.

Zoom

Zoom is probably the most popular video conferencing tool on the market today. It hit mainstream popularity during the COVID-19 Pandemic and has become a staple of any work environment. The tool is easy to use and administer and can be downloaded for free by anyone with the need to enter a meeting. However, there are several security measures that should be put in place to protect the Zoom application and the meetings it hosts. Some of these security controls must be set on the Zoom Workspace administrator dashboard. Others can be configured via Windows Group Policy by importing the ADMX/ADML templates for Zoom. For this framework I have configured a Local Group Policy baseline that includes a variety of security settings, including some Zoom settings that appear below.  

  • Enforce use of passcodes for meetings and ensure that passcodes meet a minimum length and complexity.
  • Enforce the use of a waiting room for all users attending meetings.
  • Restrict access to meetings to authenticated users only. This requires users to sign up to attend company meetings.
  • Enable the use of Personal Meeting IDs and encourage their user rather than public links.
  • Prevent users from saving meeting chat. This will help reduce the risk of data exfiltration. To tighten the attack surface further, consider disabling the chat altogether.
  • Preferably, disable the ability to share files in the Zoom chat. This includes reputable services like Google Drive and Dropbox. Sharing files should be done in isolation from meetings.
  • Preferably, restrict the use of screen sharing to the host of meetings only.
  • Disable the cloud recording feature.
  • Prevent users from sharing their entire desktop. Only pre-specified windows should be displayed in meetings.
  • Disable the in-meeting whiteboard.
  • Disable local recording of meetings by attendees.
  • Ensure that audio is muted and video stops when a device is locked. This prevents any embarrassing mishaps.
  • Mute users and turn off their video by default whenever they join meetings.
  • Enable auto updates for the Zoom application. Set the Zoom application to prompt users to install available downloads when they exit meetings.

Microsoft Teams

Teams is a powerful business tool that is included as part of Microsoft 365. Teams is preferable to Zoom for organizations that need more comprehensive tools to be integrated with their meetings. Security for Teams should be centrally configured by an administrator within the admin dashboard. Due to the vulnerabilities posed by meetings and chats in Teams, there are several baseline settings that should be configured for organizational users in your organization.

  • External file sharing can be convenient, but it is important to ensure that only trusted third party cloud providers are allowed in your Teams domain.
  • Teams should be regulated to your internal organization users only. Ensure that external domains are restricted to prevent users from adding outsiders to your Teams resources.
  • Building on the previous recommendation, internal users should be restricted from communicating with unmanaged Teams users. This is especially important, as any attacker can make a basic Teams account and attempt communication with organizations for nefarious purposes.
  • Also make sure to disable external users from initiating conversations with users in your organization.
  • One of the most destructive meeting security breaches is the prospect of an anonymous user joining a meeting without verification. Under no circumstances should any anonymous users be allowed to join any internal meetings unverified.
  • You should further enhance meeting security against suspicious users by preventing any anonymous users and dial in callers from starting a meeting themselves.
  • Bypassing the lobby in a Teams meeting is a setting that should only be enabled for inter-organization users. Enabling this feature for any outside users poses a risk to the confidentiality of your Teams meetings.
  • Teams chats are another cause for concern regarding security. If threat actors manage to enter your Teams meetings, they can copy and paste malicious content into the chat, enticing employees to click the content and become infected. Ensure that Teams chat is on for everybody except anonymous users.
  • When configuring Teams settings, ensure that the principle of least privilege is applied to the presentation feature. A nefarious actor, whether external or internal to your organization, could take advantage of the presentation feature to display inappropriate content to the entire meeting. To mitigate this risk, ensure that only organizers and co organizers can present.
  • Going further with the principle of least privilege, ensure to disable the ability of external participants to five or request control.
  • In addition to presenting and chat features, the recording of Teams meetings should be off by default. If any user can record a meeting, they can create a copy and distribute the recording to third parties. This could result in sensitive information being leaked publicly. Turning off the Meeting recording setting ensures the only higher-level users on Teams can begin recordings.

Google Meets

Much like Teams, Google Meets is specific to its vendor and has its security settings configured through a vendor dashboard. Google Meets has no desktop application; all meetings are done through the browser. There are mobile applications for mobile devices, however. Security controls for Meets fall in line with the others outlined in this documentation.

  • Do not reuse rooms. Keeping the same room for multiple different meeting instances increases the chance of a threat actor discovering the room. Ensure that a unique room is created for each session.
  • Do not share links publicly. Refrain from publishing links over public channels; instead, rely on Google Calendar or email to share meeting links.
  • Restrict screen sharing. If screen sharing is enabled too liberally, a large meeting can descend into chaos and embarrassment. Document which attendees will need to screen share ahead of time and restrict access to screen share on the meeting accordingly.
  • Restrict recording. If you allow users to record the meeting, an internal threat actor could record the meeting and move it outside your organization. If the meeting contains discussions on PII or trade secrets, damage will be caused by threat actors and/or competitors.
  • Restrict who can access a meeting. Administrators should restrict access to company meetings by only allowing users within the company to join company meetings. If external entities need to partake in a meeting, the settings can be configured to restrict access to those with a Google account.
  • Restrict which meetings your employees can join. If your employees are going to be using Google Meet for internal purposes only, you should configure settings so that they can access meetings in your organization only.
  • Label External/Unidentified Attendees. If an external user does manage to join a company meeting, they can be pointed out with a special label. This prevents these users from blending into the background.
  • Restrict 1:1 calls to inter-organization only. A 1:1 call can be both normal and suspicious. A 1:1 meeting with an external user, especially one unknown to the administration, is a red flag. To prevent this, configure Google Meet settings to only allow 1:1 meeting between users inside the organization.