Video Conferencing has firmly taken front and centre stage with the global pandemic as companies and families turn to cloud services like Zoom and Microsoft Teams to connect with their colleagues and family members.
Organizations ran towards video conferencing services like a torch yielding mob. In their desperation to find the quickest and easiest solution for business continuity they forgot all the principles of the IT lifecycle. Planning, Design, Adoption all went out of the window and the service that was quickest to use overcame all normal process and in many cases common sense. Swipe credit card and Zoom! You can now VC Away!
As the popularity of Zoom increased so did its appeal to people on the internet that do not have good intentions. Its a side effect of populism that you are always going to have the fan base and the haters. Zoom bombing became a thing and corporate meetings where being hijacked by people ranging from prank to borderline malicious intent.
I do sympathise with Zoom on this because Zoom bombing was not a direct consequence to the security of Zoom as a platform. No one performed a man in the middle attack or some how found a back door into Zoom to harvest Conference IDs etc. Zoom bombing became a thing because it's users didn't know how to properly invite their participants to a meeting. They created a meeting, generated a conference ID and then proceeded to post that ID freely on the internet through Social Media, Websites and other mediums like WhatsApp. Curiosity did the rest.
That said, it does give way to the cost of something that is built for simplicity and a way of getting you to use it quickly and easily. Instead of Zoom implementing default settings to provide users with a 1st line of defence against themselves, they decided meetings should be open and free of join friction by default. That's is fundamentally why executives love Zoom!
This is perhaps where Zoom became somewhat responsible for their user's security. In their defence though, Zoom was never designed for the user base it is now serving. However, for good or bad, meeting security has now become a hot topic and now the pranksters and hackers have had their head turned, it is more important than ever to ensure that your meetings are secure.
Microsoft Teams Secure by Default Meetings
If we now look at how Microsoft Teams creates and secures meetings by default, we can see that the two platforms on a pure conferencing perspective are built entirely different. Microsoft has always built Microsoft 365 products with Enterprise class security and compliance front and centre and Teams meetings are no different.
Out of the box there are settings that are applied by default to protect people from themselves.
Firstly, Conference IDs. Microsoft Teams doesn't have Conference IDs for joining over the web (only for PSTN). Instead it has a uniquely generated URL to join a meeting which is only valid for that particular meeting. Whilst in itself is no more or less secure than a Conference ID, it does mean that when people create other meetings, a new link to a new conference space must be used.
What I have seen a lot with the likes of Zoom that use Conference IDs is that they are almost always static (either by platform or user choice) in the case where someone has a “personal room”. This means that once I have the ID, I can take my chance and join that room at any time and potentially be involved in meetings I am not supposed to be in. Again, simple for the user, bad for security.
Secondly, Microsoft Teams has a setting that is default to all base meeting policies and that is to enable the meeting lobby. The meeting lobby is a kind of a car park for meeting joiners where the Organizer of the meeting can see people joining and choose to admit them into the meeting or kick them out before they enter and potentially see things they shouldn't. If you have disabled this as company policy, you need to re-enable it.
The Meeting Lobby
Now as good as a lobby function is, it doesn't get around the issue of participants admitting people themselves. Usually what happens in a meeting is that the Organizer starts to present and then we hear a ping that notifies someone is in the lobby, a late joiner. This often leads to people just admitting them without thinking about who they are in an attempt not to break their flow. In fact, just as I am writing this blog I am on a meeting and the presenter just said “I would appreciate it if someone can admit people if they join late”.
This leads to complaints and ultimately Organizations taking the decision to turn lobby off.
However, before you do that, consider how the lobby is used. It has 3 settings.
- Everyone – All anyone to bypass the lobby (bad)
- Everyone In Company – All anyone within your tenant to bypass the lobby, but any external joiner will be placed in the lobby
- Everyone in Company & Federated Organizations – Anyone within your tenant plus any partner domain that is federated with you to bypass the lobby and anyone else must remain in the lobby.
By refining the lobby experience, you can reduce user friction but maintain a level of security at the appropriate boundary. You should consider setting 3 EveryoneInSameAndFederatedCompany as the starter for 10.
Now, for this setting, you don't need to employ closed federation whereby you are explicitly allowing partner domain federation. You can leave this as open federation. The concept here is that if any joiner has an existing Teams or Skype for Business deployment and supports federation themselves, then they can bypass the lobby. The assumption here of course is that as a result of having the same enterprise infrastructure, they are somewhat trustworthy and should probably be in the meeting.
A guest joiner who has no Teams local tenant or Skype for Business and just joining without an account will be held in the lobby.
Define Your Guest
By default, Teams meetings will allow anyone to join the meeting if they have in their presence the meeting join link. They don't have to be enabled for Teams, they don't need an account or software, they can join by simply clicking the link and adding a Guest Display Name, which is open to impersonation.
Why is this enabled by default? It's a join experience idea that allows meetings to take place in the quickest and easiest way for users. The idea is that other controls like lobby act as a filter for unauthorised joiners.
You can turn this off in the meeting settings on the Tenant. This is a global setting and must be agreed at business level. Disabling anonymous join means that every participant will be required to sign in and authenticate using AzureAD before being allowed access to the meeting.
With not every possible participant having an AzureAD identity, the disabling of this setting should be used with extreme caution and only in cases where Organizations are 100% sure their participants can authenticate.
Control Your Participants
The next and quite important feature is the prevention of toll fraud. It is possible to allow a guest joiner to use “Dial Out” capabilities within a meeting. When enabled, the guest will be able to use the dial pad to call in someone to the meeting. The intended purpose of course is to permit people to drag in people needed for the meeting. However, it can be used as a rudimentary phone system in meeting spaces that are still active but unused. Luckily Microsoft Teams disables this feature by default and must be turned on by an administrator.
Coupled with this feature, but independent is the ability to allow an unauthenticated guest user to start the meeting on behalf of the organiser. Typically this is bad because it is open for people to impersonate the organiser. Again, Teams makes it easy for you by disabling this feature by default.
The last feature is related to the lobby again. Up to now the lobby controls are for web joined participants. But, we also need to control lobby settings for PSTN joiners, i.e. those who have dialled in to the meeting using a phone.
Why is this setting decoupled from lobby join? It comes down to user experience, joining a Teams meeting via phone is complex enough without sitting in a lobby with no hold music wondering if the call is event connected. For this reason, people often allow PSTN callers to bypass the lobby and gain access to the meeting without being firewalled.
By default, this setting is also disabled, but many companies enable this. In light of the current interest in disruptors to meetings, this setting should be revised by security teams.
There is one last control that needs to be moderated. The ability to force everyone but the organiser into “Attendee” mode. At the current time of writing the feature does not exist, but it is coming and can be seen in some Tenant's as a PowerShell parameter.
This is the final piece of the puzzle for meeting security. It has been in Teams' predecessor for many years, the ability to assign meeting participation roles to participants. By design right now, Teams allows anyone the ability to present in a meeting. This includes actions such as:
- Presenting Screen
- Admitting Users from the lobby
- Inviting others into the meeting
- Muting everyone
- Kick out participants (and worryingly even the organiser)
Forcing participants into Attendee mode will prevent all that which could go a long way towards preventing the affects of “bombing” a meeting to make it less fun for the disruptor and therefore, less interest.
Secured Meeting Recordings
On a side note, with regards to meeting recordings. Right now, recorded meetings in Stream are only available to participants within the same Tenant as the organiser / presenter that recorded it. There has been many long and persistent calls for this to be relaxed to allow meeting participants to view as well. However, let's hope that recordings can only be shared with participants with some kind of security / authentication process that never permits the public and anonymous sharing of this video via the Meeting Join link or in Teams. That action should always remain a three-step process as it is now i.e. presenter must download and upload to shared storage and share out. This makes it a 100% conscious decision and cannot be accidentally leaked without knowing.
This has not been a comparison between how Zoom chooses to enable meetings vs Teams, but mainly about how the lessons learnt from Zoom can be applied to Microsoft Teams meetings and our behaviour within them.
Microsoft Teams meetings balance security and meeting join experience in a way that allows people to have a good join experience but enabled with a moderate level of security and protection. If organisations choose to relax these controls, they cannot blame the technology when meetings are compromised. This is why it is important for everyone to understand not just the behaviour, but the implications of enabling or disabling as the case may be.
If you want to get started with a hardened Global meeting policy, the following command will help
Set-CsTeamsMeetingPolicy -Identity Global -AllowAnonymousUsersToDialOut $false -AllowAnonymousUsersToStartMeeting $false -AutoAdmitUsers EveryoneInSameAndFederatedCompany -AllowExternalParticipantGiveRequestControl $false -AllowPSTNUsersToBypassLobby $false -AllowOrganizersToOverrideLobbySettings $true