Last updated June 2021
These are the guidelines/standards used by Tufts Technology Services (TTS) Enterprise Infrastructure and Operations (EIO) team for non-critical systems/server patching including all routine/preventative (server & database) maintenance. The information on this page is primarily for internal TTS purposes, for IT partners across Tufts, and to share information with the Tufts community that shows how these standards and maintenance windows provide for necessary patching to keep our systems safe, secure, and up and running.
Routine/Preventive (Server and Database) Maintenance means the application of non-critical server OS and database updates and security and bug fixes (“Routine Updates”). This standard, which covers the application of Routine Updates, applies to EIO-managed servers running Red Hat Linux and Microsoft Windows Server along with EIO-managed Oracle, SQL Server and MySQL database instances.
Server and Database software vendors routinely release system updates and non-critical security and bug fixes to their products at intervals throughout the year. Tufts obtains these routine updates and fixes under the terms of software support agreements.
Routine server and database maintenance falls into two categories:
- Planned Patch Cycle Maintenance - Semi-annual application of non-critical operating system updates and non-critical security and bug fixes.
- Planned Routine Maintenance – Application of non-critical operating system updates and non-critical security and bug fixes outside of semi-annual patch cycle work.
In contrast, Zero Day Vulnerabilities are critical vulnerability advisories and updates which are released on an ad hoc basis. Zero Day Vulnerabilities fall into the category of non-routine maintenance. EIO addresses these immediately.
Implementing routine/preventive server and database maintenance typically requires service downtime. To minimize any potentially negative impact on end users but still get the full benefits and value from applying routine/preventative maintenance, EIO performs routine/preventative maintenance at predictable times when user activity is known to be low and user impact is limited.
Routine server maintenance will be done as follows:
- The application of Routine/Preventive (server and database) Maintenance with a server reboot will be done
- Twice each year to Linux and Windows servers during semi-annual Summer and Winter Patch Cycles:
- At agreed-upon times during July – August
- At agreed-upon times during December – January
- Monthly to Windows Active Directory (AD) and Active Directory Federation Services (ADFS) servers.
- Routine/preventative (server and database) maintenance (i) that has no potential for any impact on service delivery or (ii) that only affects servers not “visible” to customers will be done during the following windows:
- Sunday – Saturday at any time
- Routine/preventative (server and database) maintenance with a low risk profile will be done during the following windows when possible:
- Monday – Friday between 6 AM and 8 AM
- Monday – Friday between 8 PM and 10 PM
- Routine/preventative (server and database) maintenance needing a post-change, early morning validation will be done during the following windows:
- Monday – Friday between 6 AM and 8 AM
- Routine/preventative (server and database) maintenance work with a high risk profile or the potential for having a large impact is done during the following window:
- Sunday between 6 AM and 10 AM
- When agreed upon by both TTS personnel and a server’s service or application owner, routine/preventative (server and database) maintenance can be done during a window other than one of those listed above.
Note: As each round of maintenance is done, EIO personnel will document progress in Box under C:\...\Box\ES Patching\YYYY-Winter\ or C:\...\Box\ES Patching\YYYY-Summer\ where YYYY is the year when the then current patching was started.
- April / October
- OIS and EIO hold an initial meeting to review high level scans and/or any other information to consider during the imminent semi-annual patch cycle.
- May / November
- EIO management selects the current patch cycle’s Team Lead and patching team.
- The Patching Team Lead updates the mailing list, announces the current patching cycle, opens a patch cycle Change Request and with the team, plans out the next iteration of Routine Server and Database Maintenance patching.
- The preliminary schedule is vetted and negotiated with server owner(s) and/or affected client(s).
- The Team Lead publishes VM schedules and “specials.”
- June - July / December
- The team identifies and tests repositories/patches.
- July - August / January - February
- Non-production (Dev, Test, Stage) VMs are patched and verified.
- OIS runs scans which EIO uses to analyze and assess patching efficacy.
- August / February
- EIO team completes production patching prior to Start-of-Semester and records the completion of patching by closing the patch cycle TechConnect Change Request opened in step 2, above.
- OIS scans and will communicate any remaining risks.
- OIS and EIO– meet to review and close the patch cycle.
Affected EIO management will review this Standard annually.
Routine/Preventive (Server & Database) Maintenance Standard
Last Revision/Review Date:
For more information