Server Operating System Security Patching

Summary

This document describes the Information Technology & Consulting (ITC) requirements for maintaining up-to-date operating system security patches on all Dartmouth College managed servers.

Body

Overview

ITC Infrastructure Services Team installs critical and security-related patches to the Operating Systems (OS) of systems and services managed by ITC.  The patches are released by the OS vendor and are designed to resolve security vulnerabilities and other bugs, as well as improve the usability or performance of an OS. ITC Infrastructure Services Team uses a patch management strategy plan to determine which patches should be applied to which systems at the time specified below.

Clients should expect that all applications will be down during these patch windows and should not post any transaction regardless of applications apparent status.  

NOTE:  Occasionally, critical patches are announced that must be applied immediately. When this occurs, ITC will promptly notify application owners that a patch cycle will happen with scheduling details.

Server Patching Schedule

Vendor Patch Release Tuesday:  Typically, vendors such as Microsoft announces security and other critical patches for their operating systems on the second Tuesday of the month. Infrastructure personnel reviews the released patches and asses which patches to apply. The patching team then deploys those patching according to these general guidelines.
 

Non-Production Servers and Databases
     Thursday following the Vendor Patch Release Tuesday (above)
     7 AM - 10 AM

Production Servers and Databases
     Thursday, and Friday one week after development patching. Friday is reserved as a cleanup day, where some systems may need more attention.
     2 AM - 7 AM
 

Status Updates and Communications

All users who wish to receive regular updates regarding server patching and other similar notification should subscribe to Statuspage. The Infrastructure Services Team will post a Dartpulse message within 24 hours before the production patch day.  Development systems have a much less impact and will not receive a Statuspage maintenance to avoid confusion.

 

Details

Details

Article ID: 105996
Created
Thu 4/23/20 11:07 AM
Modified
Thu 2/23/23 9:34 AM

Related Articles