Content(add): Zoom hardening guide for opsec/endpoint

[artemisclaw82]

Summary

Adds a new Zoom hardening guide at docs/pages/opsec/endpoint/zoom-hardening.mdx and updates sidebar navigation.

Closes #135

What's included

• Why Zoom is a target — ELUSIVE COMET attack pattern overview with link to the existing incident response playbook
• Immediate hardening steps — Actionable checklist: disable remote control, restrict screen sharing, enable waiting rooms/passcodes, prefer browser-based Zoom
• macOS-specific mitigations — tccutil commands, PPPC profiles for MDM/Jamf, uninstallation guidance. References Trail of Bits mitigation scripts
• Organizational policies — Alternative platforms, browser-based Zoom enforcement, social engineering awareness training
• Detection signals — Table of red flags during Zoom calls
• Quick reference table — All settings with locations and recommended values

Files changed

• docs/pages/opsec/endpoint/zoom-hardening.mdx — New page
• vocs.config.ts — Added Zoom Hardening to Endpoint Security sidebar section (dev: true)

Template compliance

• YAML frontmatter (title, description 140-160 chars, tags, contributors)
• Key Takeaway (≤40 words)
• Import paths correct
• TagProvider/ContributeFooter structure
• Sidebar entry with dev: true
• Signed commit (GPG)

[vercel]

@artemisclaw82 is attempting to deploy a commit to the Security Alliance Team on Vercel.

A member of the Team first needs to authorize it.

[artemisclaw82]

Disclosure: This content was written by Artemis, an AI assistant operated by @DicksonWu654. It has not yet been reviewed by a human. Dickson will review and revise before marking as ready for review.

Keeping as draft until that review is complete.

[DicksonWu654]

This is not accurate for the webapp at least. It seems like the settings are in differnet places. For example in the web poral it's Settings > "In Meeting (Basic)" > "Remote control" > "OFF"

The desktop client doesn't seem to even have it... Fuck it let's just use the web portal and do the settings from there.

do this for every one of the settings please

[artemisclaw82]

Done — updated all settings paths to use the Zoom web portal. Each setting now shows the correct web portal path (Settings > Meeting > In Meeting (Basic) / Security / Recording).

[DicksonWu654]

Okay - you're sure that these settings are A) Correct paths B) actually the settings recommended via the resources which you had C) Are not hallucinated?

[artemisclaw82]

Verified all paths against multiple sources (Zoom community forums, university IT guides, third-party Zoom guides). The Zoom web portal structure is:

Settings (left sidebar) > Meeting (tab) > [Section] > [Setting toggle]

Sections within the Meeting tab:

• Security — Waiting Room, Passcode, Join before host
• In Meeting (Basic) — Remote control, Screen sharing (Who can share?)
• Recording — Automatic recording

Sources cross-referenced:

• Zoom community: Settings > Meeting tab > In Meeting (Basic) > Remote control toggle (source)
• UMN IT: Settings > Security section > Waiting Room (source)
• UNR: Settings > In Meeting (Basic) > Screen sharing > Who can share: Host Only (source)

Caveat: I verified via web search, not by logging into a Zoom account directly. Paths could have shifted if Zoom recently reorganized their web portal UI. Worth a quick manual check against zoom.us/profile/setting to confirm.

[DicksonWu654]

Yeah but does Trail of bits / other trusted sources recommend we turn on these settings?

[artemisclaw82]

Honest answer — partially.

Directly from Trail of Bits' ELUSIVE COMET blog post (April 2025):

• ✅ Disable remote control — explicitly called out as "unnecessary risk," deployed technical controls to prevent it
• ✅ PPPC profiles to block accessibility permissions — their published mitigation scripts
• ✅ Prefer browser-based Zoom / Google Meet — "browser-based security model" over installed apps
• ✅ Remove Zoom desktop client entirely — "for high-security environments or organizations handling cryptocurrency, the most direct approach is to completely remove Zoom"
• ✅ macOS tccutil revocation — in their it-releases repo

General Zoom security best practices (standard hardening, NOT from Trail of Bits):

• ⚠️ Waiting rooms
• ⚠️ Meeting passcodes
• ⚠️ Host-only screen sharing
• ⚠️ Disable automatic recording
• ⚠️ SSO/OAuth

The second group is standard Zoom hardening from Zoom's own documentation and university IT guides — reasonable security hygiene, but I should have clearly separated Trail of Bits recommendations from general best practices in the guide. Want me to add attribution ("Recommended by Trail of Bits" vs "General best practice") to each setting?

[DicksonWu654]

Perhaps we have the required and optional. Required = TOB, optional = general zoom best practices. Exception of SSO and OAuth should be in required

[artemisclaw82]

Done — split the "Immediate hardening steps" checklist into Required (Trail of Bits ELUSIVE COMET mitigations + SSO/OAuth + PPPC/tccutil + client removal) and Optional (general best practices: waiting rooms, passcodes, recording). Also split the Quick Reference table into Required/Optional subsections to match. SSO/OAuth is in Required as requested.

[DicksonWu654]

Actually let's put endpoint security into guides. I see that there's currently no Zoom one in the guides. Let's add this there! Perhaps we could add other endpoints, you can propose issues and populate them accordinly

[artemisclaw82]

Moved to guides/endpoint_security/zoom-hardening. Also proposed issues for additional endpoint guides:

• Content(add): Slack desktop client hardening guide #388 Slack desktop hardening
• Content(add): Discord desktop client hardening guide #389 Discord desktop hardening
• Content(add): Telegram desktop client hardening guide #390 Telegram desktop hardening
• Content(add): Web browser hardening guide for Web3 #391 Web browser hardening for Web3

[DicksonWu654]

yo we got like some of these in the other guides already - if they're alreayd there then just close these. propose ones we don't have

[artemisclaw82]

Checked — Discord, Slack, and Telegram already have account security guides under guides/account_management/. Closed #388, #389, #390. Kept #391 (browser hardening — no existing guide) and proposed two new ones that have no coverage:

• Content(add): Password manager endpoint hardening guide #392 Password manager endpoint hardening
• Content(add): SSH client and key management hardening guide #393 SSH client and key management hardening

[DicksonWu654]

thx lgtm now

[github-actions]

Sidebar Configuration Reminder

Documentation files update:

New in this push:

• docs/pages/guides/endpoint\_security/index.mdx (added) ← NEW
• docs/pages/guides/endpoint\_security/zoom-hardening.mdx (added) ← NEW

Please ensure that:

• The sidebar in vocs.config.tsx has been updated to include these files
• New content has the dev: true parameter so it's marked as under development
• Sidebar links match the file paths - use the preview deployment to verify

See Contributing Guide – Sidebar & Navigation for more details.

---

_{This is an automated reminder. If this PR doesn't need sidebar changes, you can ignore this message.}

[DicksonWu654]

why do we have this? Let's delete this sicne it doesn't add value. Make sure you aren't overly verbose pelase

[artemisclaw82]

Removed the Join Before Host row (and the stray mention in Meeting Hygiene). Also trimmed verbosity across Required/macOS/Org Policies/Detection sections to keep it tighter. Pushed commit 41ceeaa.

[scode2277]

Hey @DicksonWu654, please do not use underscores to name files or folders, as they would cause troubles with many configs we have. Let's make our standard using dashes 🙏🏻

[github-actions]

Sidebar Configuration Reminder

Documentation files update:

New in this push:

• docs/pages/config/index.mdx (added) ← NEW
• docs/pages/guides/endpoint-security/index.mdx (added) ← NEW
• docs/pages/guides/endpoint-security/zoom-hardening.mdx (added) ← NEW

Please ensure that:

• The sidebar in vocs.config.tsx has been updated to include these files
• New content has the dev: true parameter so it's marked as under development
• Sidebar links match the file paths - use the preview deployment to verify

See Contributing Guide – Sidebar & Navigation for more details.

---

_{This is an automated reminder. If this PR doesn't need sidebar changes, you can ignore this message.}