5

Apparently, my company has a security policy that states that if a laptop's battery dies (that is, uses up all charge because it's unplugged), the laptop gets locked and a domain administrator has to unlock it before it can be used again.

Is there anything to this policy that makes it more secure than not locking the laptop so a user can start using it again right away after plugging it in?

This is a highly secure environment, internal storage is encrypted and there are several security tools running on our computers all the time.

Edit: I didn't realize this could be relevant so I haven't added it before, but we're allowed to shut down / reboot the machines any time. We can also take them home to work from home (using VPN and IT-approved tools to facilitate authentication).

Edit 2: the computers run Windows 8.1 and are all part of a corporate domain. Access to various domain resources is tightly controlled.

xxbbcc
  • 172
  • 6
  • 1
    That's a very unusual policy, so there must have been some reason (good, bad, or indifferent) that caused it to be put into place. I think you might have to find whoever was originally responsible to find out what that reason was/is. – Xander Dec 30 '15 at 22:47
  • @drewbenn I don't know the answer to your question. I guess I could try to trigger it but I'm not terribly inclined to have to go through the unlocking process. (The scenario described in the question didn't happen to me.) – xxbbcc Dec 30 '15 at 23:35
  • @drewbenn I don't know if there's a difference between handling these cases. Our systems run a number of monitoring tools so I can easily see both cases being handled. – xxbbcc Dec 31 '15 at 01:03

4 Answers4

3

If the computer is not allowed to be turned off, monitoring software (and possibly other hardware components) can be used to monitor things such as the removal of HDDs, RAM, and/or other chips. If the battery dies, there's no power to the system so no monitoring can take place - thereby requiring a hardware check to make sure nothing has happened. This is just one possibility I suppose.

Update: it's also possible the BIOS keeps logs of hardware changes which the OS (and thus your employer's monitoring software) can access. A dead battery would cause a discontinuity in such a log as parts could be removed and reinserted without its knowledge.

iAdjunct
  • 1,710
  • 10
  • 15
3

There's a simple non-technical reason to have this requirement.

A user is unlikely to allow a laptop to run out of battery, especially once they know that this extra step is required.

However, an opportunistic thief will unplug any cables from the laptop to make a fast getaway unencumbered by cheaply replaceable accessories. By the time they get the correct power cable, the laptop may have fully discharged, adding an additional barrier to getting to the sensitive data.

This may sound like an unreliable mechanism for securing the laptop, but security mechanisms are often not absolute. They are about increasing the chances of keeping out an illegitimate user, while inconveniencing legitimate users as little as possible.

Jonathan Giddy
  • 394
  • 1
  • 5
2

One reason I can think of why this situation might make sense is because the laptop have an encryption key stored in a cryptographic hardware module. A regular shutdown with some remaining battery left keeps the encryption key alive in the hardware module. But when the battery dies completely, the hardware module loses all power and thus the encryption key is wiped off from its internal volatile memory, requiring a sysadmin to unlock the encryption key in the hardware module.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
2

I can only guess, but since the other answers are guesses as well: Depending on the laptop design, physical access to solder a keylogger or other device can involve removing the battery to open the laptop. As such, an admin would unlock the laptop and check if the battery had actually discharged, or if the power loss was due to the battery having been removed. If the battery was removed they'd need to assume tampering. If the battery drained completely, they have no idea what happened.

Peter
  • 3,620
  • 3
  • 13
  • 24