29 November 2011

TMG log file change prevents Webspy import

Webspy Vantage is on of my favourite add on tools for TMG.  I use it for generating usage reports and for forensic tracing of user activity.
The TMG logs can be imported into webspy in one of  three ways.


  • Connect directly to the Logging Database on the TMG server if the logging is set to "SQL Server Express"
  • Import the log text files if the logging is set to "File" 
  • Use a MSDEtoText vbscript to log to SQL server express and generate a text file
TMG native reporting only works if logging to the local SQL Server express.  The advantage of using the last option is that you can keep native reporting and you are able to import files "offline" by simply importing the text files.  This reduces the time the TMG is losing resource while the logs are imported by Webspy.

This worked great until recently when there appear to have been a change to TMG logging.  The symptoms you would see in Webspy are the following:
  • Log files do not import any hits
  • Summaries cannot be generated as no storages are available to select (even thought they are there)
  • Reports contain no data




The reason for this is explained here by Stefanie from Webspy Support:

The problem is occurring because at the end of every log file is an additional TAB, which causes Vantage to think there is another field expected, and when it finds none it does not import the line. We have recently seen this issue with a few other clients

Existing files can also be fixed up by manually adding the word NULL to the end of the #Fields line, or removing the additional tab from the end of every line.

They have also updated the MSDEtoText Script to fix this issue available from:



Existing storage will have to be cleared or purged of all data for everything to start working properly again.


28 November 2011

uTorrent ignores bandwidth limits to corporate hosted torrents

One of the best things about the uTorrent client is the ability to really control how the files are transferred.  This can be on a schedule, stopped after a cap is reached etc.

If however the the peers are on the local network these bandwidth limits are ignored.  The thinking being that if they are on the local high speed LAN there is no need for bandwidth limits.

If however the local peers are on the other side of a slow WAN link you would still like to enforce the limits.

The setting to do this is

  • From the uTorrent console
  • Options
  • Preferences
  • BitTorrent
  • Check Limit local peer bandwidth




23 November 2011

Attach a physical disk to a Hyper-V virtual server

Generally speaking when referring to a virtual machine it is assumed that everything is virtual, including all the drives.  Virtual drive has a few advantages over normal drives.  They are single files that can easily be moved around, taken snap shots of etc.  The one drawback though is that your virtual drive is a single file.

You do have to option to attach a physical disk or pass through disk to your virtual machine.  This gives the VM direct access to the drive without needing to work through the hypervisor.  This in turn should you a performance advantage. On the down side you can no longer take snapshots of the VM

You cannot use removable storage as pass through disks.  So using a USB drive is not an option.

On the virtual machine host connect to the computer manager and go to the storage Manager

You need to mark the disk as offline


Now when you go to the Hyper V management console and select the setting from a stopped VM you will see the option to add the physical disk.

You can add it either to a  IDE or SCSI controller



Once nice thing is that the partitions remain as they are.  In the example below there were two partitions on the disk.


One nice advantage of this is that this is also an easier way to share data with offline machines, bring the disk on-line on the host, copy files and attach it to the VM again.



21 November 2011

Accommodate Tablets and Smart Phones in your company using TMG as a Wifi gateway Part II

In the previous article on this http://fixmyitsystem.com/2011/10/accommodate-tablets-and-smart-phones-in.html I covered the essential components involved in getting up and running.

In essence the Captivate plugin allows you to force authentication for a NAT user.  Normally this would be using Forms Based Authentication (FBA) against Windows (Active Directory)  This requires the TMG server to be a member of that domain.

In this article I will go through the steps required to set up a secondary  domain to authenticate guests against.  This allows to authenticate users against either domain.  This allows you to cater for Corporate users with corporate domain accounts on un-trusted devices such as iPad and Android tablets. And for true guests that do not require access to any of your corporate domain resources.  You can do all this  while still keeping the TMG server on your corporate domain.

First up I tried for a long time to get this working with ADLDS with no luck.  So I am using a separate Guest Domain on a  separate domain controller.

Step 1 Build a guest domain controller
For the purposes of this guest network, I do not need anything other than a place to create and expire users.  I will either be allowing an authenticated user or dropping the request.  Based on this very basic requirement I built a stand alone domain controller and edit the domain policy.

Policies - Windows Settings - Security Settings - Account Policies / Password Policies

Here you have the options to make the password requirement simple or more complex.  The one setting here will affect the ability to change password through the forms. Minimum Password Age.  By default it is set to 1.  This means that a password can only be changed by a user ever 24 hours.  So set it to 0

In the case of the guest network you might want to request or ask a user to change the password at the first log in.  If however the password is less then 24 hours old they will not be able to change it....



Step 2 Configure Authentication Server Settings
Here we are going to configure using LDAP as opposed to Windows (Active Directory)  Because of this we will have to manually specify the settings.
  • Form the console tree Expand the array
  • Select Firewall Policy
  • On the task pane on the right hand side scroll down an open Configure Authentication Server Settings
  • Select the LDAP Servers tab

Corporate domain
  • Create an LDAP server set
  • Click add
  • Specify the LDAP server set name
  • Add the  AD server you want to use and chnage the order if required
  • Specify the domain FQDN

Important - If you want to enable password management through the Authentication Form the following must be set

  • Un-check Use Global Catalog
  • Check Connect LDAP server over secure connection
  • Specify a username and password that is authorized to change passwords on that domain.

Guest Domain

  • Repeat the steps for the Corporate but of course specifying the guest domain servers and names

Configure Login Expressions
The login expression defines how the credentials will be formatted.  It can be either
  • domain\username  - guest\*
  • usernmae@domain.co - *@guest.co.za

Since in this case they are both Active Directory you can use domain\*

So you would have two entries:
corporate\* - Going to the Corporate LDAP server set
guest\* - Going to the Guest LDAP server set



Step 3 Validate LDAP connectivity
Since during the normal operation of this you dont really see what is going on, you will want confirm that both LDAP sources are working as expected.
  • On the TMG server Run LDP.exe
  • Form the connection menu select Connect
  • Specify the name of the FQDN of  LDAP server
  • Change the port to 636 
  • Check SSL
NOTE: If you do not want or need password management through the FBA you don't have to use SSL so the connection port would be 389 and you would uncheck SSL

At this point you have sent a connection request but you have not bound to it use a credential, so next up
  • Form the connection menu select Bind
  • Click the Advanced Button
  • Select Digest
  • Select Advanced (Digest) in the Bind type
  • Specify the credentials you used when setting up the LDAP server set
You should now get a successful Authenticated as message



Step 4 Limitations to be aware of
If you are using forms-based authentication with LDAP like I have set out here, TMG is not able to check if the password is valid or expired.  So unlike authenticating a against Windows (Active Directory) you will not automatically be redirected to the change password screen.  The user will just get and invalid credentials error.

The account cannot be marked with "User must change password at next logon" in active directory, if it is authentication will fail.

Conclusion
The ability to authenticate again multiple domains can be used to cater for specific user scenarios like this one.  You can enable a corporate user to use his private device without having to create a dedicated guest domain user, and likewise you can enable a guest user to use your corporate internet without having to create a corporate domain user just for this.



15 November 2011

Manually download individual updates for targeted installation

Windows Update is great, but sometimes you just urgently need one update for a few machines.  In this case I am going to go through manually downloading and installing the update for MS11-083.


  • Log in as an administrator on the local machine
  • Browse to the the Microsoft Update Catalog site http://catalog.update.microsoft.com/v7/site/home.aspx
  • Search for the security bulletin number
  • Add the update(s) for the affected Operating systems or products
  • View Basket
  • Download
  • Select a folder
  • Continue


Once the downloads are complete you can install them manually as they are in the standalone installer packaging

If you run into this issue trying to download


The website has encountered a problem  


[Error number: 800704DD] 
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem. 

It is caused because the user is not logged on.  You might get this if you have just run IE as an administrator as opposed to logging in as the administrator.


11 November 2011

Protecting corporate Mac OS X devices with Sophos endpoint


Preparing your Sophos Enterprise Environment
Most corporates have got fairly well defined and enforced anti virus policies - for Windows.  Since Macs are becoming more and more common place on the corporate network you need to make sure that they do not become an infection point.  This article will go through what is necessary to add support for Mac OS X machines to your existing Sophos deployment.


Adding the subscription to a Update Manager
This will download and configure the Sophos binaries that will be deployed to the Max machines.
  • From the Sophos Enterprise Console
  • Click Update managers
  • Next to Software Subscriptions click the add button
  • Provide a friendly name for the suvscription
  • Under platforms check Mac OS X 
  • Select the "Recommended" version
You will then need to configure an update manager to distribute this subscription


  • Select the desired update manager
  • Right Click - Edit configuration
  • Select the Subscriptions tab
  • Add the new Mac OSX subscription
  • Select the Distibution tab

Check that there is at least one share listed for the new subscription.  Keep a note of this location as this is where you will initiate your installation from.

Once this is done you will need to wait for the binary files to be downloaded before you can deploy.  This is a good time to carry on configuring the management settings.

Create Policies
Since the policies that you want to apply to Mac machines will be significantly different to PCs I would recommend setting up a dedicated AntiVirus and HIPS policy

From the Sophos Enterprise Console

Create a new updating policy
  • Check that the primary server is the same as you configured above
  • From the Subscriptions Tab select the new subscription created above
  • On the Schedule tab change the interval for checking for updates.

Create a new Anti-Virus and HIPS policy
  • These are by default configured for Windows. so there are a few places you will want to edit the defaults
  • Configure the on Access scanning as required
  • The main item to change is  in the Scan for section
  • Ensure you check "Macintosh Viruses"
  • I also always change the Check files on and Cleanup settings
  • Remember that Mac exclusions are in a separate tab




Create a Group and Assign the Policies
Create a new group for the Mac machines
  • Right click and "View edit group policy details
  • Select the two policies you created earlier
  • Ok




Your environment should now be setup to manage your Mac machines once they have been installed and come online.

Installing the Sophos Client

Copy the files locally to start the install. (The process below is my quick and easy version)

  • Open Safari and in the address bar put the address of your distribution point you took note of earlier
  • eg.     sbm://sophos03/SophosUpdate/CIDs/S008
  • Copy the ESCOSX folder to the local machine
  • Open the folder and execute the Sophos Antivirus.mpkg
  • Step through the wizard







Next up you will want to confirm that the machine is showing up in the management console.  
To establish what the machine's netbois name is
Go to System Preferences - Networks - Advanced - WINS


Managing the Mac OS X devices
Like Windows devices once the machine is up and running it will start communicating with the server.  From the Sophos Enterprise console expand group
  • Select Unassigned
  • You should now see the Mac machine listed there
  • You can confirm by checking the Netbios name and also by looking at the other filed in the Computer Details tab
  • Drag the MAc to your Mac group your created earlier

When the settings are being applied to the Sophos client you will see a notification appear


You can also confirm the settings on the client machine by opening the Sophos app and have a look at the preferences


Conclusion
Adding support for Max OS X devices is relatively straight forward.  Managing them is the same as managing a Windows PC.  Support for this can be added with minimal training.  It is an absolute no brainer for me - if you already have a Sophos environement for Windows use it for Mac.  As the client base of Apple continues to grow so does the attractive ness of the platform for malware writers.  The fact that these devices are poorly protected makes the target even bigger on their backs.



10 November 2011

TMG SP2 resets HTTP compression content types to default selection

A customised HTTP compression configuration will have the content types reset to the default selection.  The option to "Compress all content types except selected" and "Compress the selected content types only" will not be changed.  So if you have "Compress all content types except selected" chosen your configuration will essentially be inverted and then some.

Since the default content types cannot be altered, a custom content type is the only way to get granular control.  If for instance you would like to compress all image types except .gif (which normally increase in size slightly with compression) you don't have a choice but to create a custom images content type where you add all the default image types but leave out .gif.

Here is the default TMG compression configuration


Here is a customised compression configuration


Here is the customized compression configuration post SP2 install


Even if the TMG environment has not been customized prior to the SP2 installtion it might just be a good idea to check this after the install.

09 November 2011

Update PKI with new offline root CA CRL - step by step guide

As part of your PKI maintenance you will periodically need to update the CRL from the offline Root CA.  If you have inherited the PKI infrastructure you might now have all the required information handy.  The guide will hopefully take you through what you need to get your PKI status back to normal.

Terminology

CA - Certification Authority
PKI - Public Key Infrastructure
CRL - Certificate Revocation List
CDP - CRL Distribution Point
AIA - Authority Information Access

Process overview
  • Bring Root CA online
  • Create a new CRL
  • Copy the CRL to the network
  • Distribute to CDP and AIA
  • Verify the update is sucessfully installed
  • Diary entry for the next update date


Bring the root CA online
Best practise for a root CA is to have it totally offline.  It is also best practice to have the root CA as a virtual machine that an easily be backed up and restored should an issue occur.  Generally the process involves starting up the virtual machine and connecting via the VM console.  My personal suggestion here is also to make a snapshot before you start.

Check the current CRL

  • Browse to C:\Windows\system32\certsrv\certenroll
  • Open the .crl file
  • Check the Next update field - This is the expiry date
  • Make a note of the CRL Number for the verification step later




Create the new CRL

  • Open the MMC
  • Add the Certificate Authority Snap in select local computer
  • Expand the tree till you get to the Revoked Certificates node
  • Right click and select  - All tasks - Publish
  • Choose New CRL
  • Alternatively you can run  certutil -crl  to do the same thing 


You will also have to make a note of where the CDP and AIA locations are.  The updated CRL file needs to be copied to all these locations.

From the Certificate Authority snap in

  • Select the Root CA - Right Click -Properties
  • Select the Extensions tab
  • From here there is a drop box where you can select either the CDP or the AIA.

The box below will show where the locations are that you need to update.



This process should now have generated and saved the updated CRL to the C:\Windows\system32\certsrv\certenroll folder.


  • Check the updated CRL file as you did above.  This time the CRL number should have increased by 1 and the dates should be different.


Getting the CRL file on to the network

  • Create a virtual floppy
  • Attach it to your Root CA
  • Copy the CRL file onto the floppy
  • Detach the drive and connected it to a networked VM

(Alternatively - connect the VM to the network and copy the file across before disconnecting the VM again)

Distribute to CDP and AIA locations
The .crl file now needs to be copied to all the network CDP and AIA locations.  This is genereally a IIS server on the network.  The information gather above should help you track down the server.

Publish CRL to AD and the Issuing CA local root trust

  • Log onto the Issuing CA and open a command prompt as administrator
  • Browse to a directory that contains the new crl files
  • To publish to the Issuing CA certutil -f -addstore infile "FileName.crl"
  • To Publish to Active Directory  certutil -v -f -dsPublish “FileName.crl” RootCA 


Verify the update is sucessfully installed
Once the files have been copiesd to all the required location you can check the health of your PKI environement again.
  • Open the MMC console
  • Add the Enterprise PKI snap in
  • Expand to the Root CA
  • In the details pane you should now see that there are no warning or errors
  • The CDP location should also reflect the new dates

Double Clicking on the CDP field should open the new CRL file where you can again verify it is 100% correct.




Diary entry for the next update date
You will have to do this again in the future and since the interval is normally 6 months or more it is easy to forget.  Set up a meeting request where you and or another PKI admin nneds to perform these steps.  It is recommended that this be performed a few days prior to the actual expiry date to ensure proper propegation etc in larger environments.  Also copy in the link to this article...






07 November 2011

How to configure Connect From Anywhere for Remote Desktop Connection clients

Remote desktop connections to server are normally made with the Remote Desktop Connection application.  It seems everyone calls it something else. RDP client, Terminal Server client, Remote Desktop ...

Just to clarify I going to over the setting for c:\Windows\System32\mstsc.exe version 6.1.7601.17514 The version shipped with Windows 7.

How it fits together
Connect from anywhere is the client component for Remote Desktop Services Gateway (RDSGW).  This is normally configured for RDP session coming in from the Internet.  For you to try this out you would either need your own or a provided RDGW.  If you want to setup your own here are some guides on how to do it

http://fixmyitsystem.com/2010/08/rds-gateway-connection-broker-and-web.html
http://fixmyitsystem.com/2010/08/buildng-rds-load-balanced-farm-with-rd.html


RDSGW encapsulates the RDP data in SSL so it allows connection through HTTPS port 443, this normally allows tunneling through firewalls.

The RDSGW also enforces policies to govern what is and what is not accessible to who.
The Connection Authorization Policies (RD CAP) govern what authentication types are allowed as well as device redirection settings.
The Resource Authorization Policies (RD RAP) govern what servers a user is allowed to connect to.

Once a connection passes policy check the RDGW establishes a RDP session to the requestesed server on normal RDP port 3389 (unless specified otherwise in a policy.)

Manually Configuring the Remote Desktop Connection 
By default the Connect from Anywhere is set to "Automatically detect RD Gateway server settings"  This setting will for look for settings specified in group Policy.


  • Open the Remote Desktop Connection
  • Click the advanced tab
  • from the Connect from anywhere section click on Settings
  • Select the "Use these RD gateway server settings" radio button
  • Specify the RDGW FQDN name




The " Bypass RD gateway server for local addresses" will enable the connection to go direct without going through the RDGW.  The local addresses actually means that the client will attempt to look up and resolve the server name, if it cannot it will attempt to use the RDGW specified.

Depending on your requirement you can leave this enabled or un-check it to force all connection through the RDGW.

Once that is configured you can specify the server name you want to connect to on the General tab.
You do not have to specify the FQDN of your server as the RDGW will do that resolution.



Once you click connect the following will happen.

  1. The RDC will prompt for credentials
  2. The connection attempt is sent to the RDGW over HTTPS 443
  3. Your connection attempt it processed through the RD CAP and RD RAP policies
  4. The connection to the server is established on RDP port 3389 between the RDGW and the server.


Configuring the Remote Desktop Connection with Group Policy


The following will enable administrators to configure and optionally enforce the settings

Create and Edit a new group policy
Expand User Configuration - Administrative Templates - Windows Components - Remote Desktop Services
Under the RD Gateway key there are three settings


  • Set RD Gateway authentication method


Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the NTLM protocol that is enabled on the client or a smart card can be used for authentication.


  • Enable connection through RD Gateway


If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
Note: To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.
If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.


  • Set RD Gateway server address


Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used.
To allow users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server, you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default.
Note: If you disable or do not configure this policy setting, but enable the "Enable connections through RD Gateway" policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.

These setting work in combination witch each other so check the options carefully.

One advantage of forcing all connection through the Gateways is that you can centrally control connection with the RD CAP and RD RAP policies.

Conclusion
The added functionality of using a RDGW can be utilized and enforced for both external and internal network connections.  It not only allows tunneling of connection from the outside but also enforces policies locally.  RDGW can be built in a NLB cluster so multiple nodes can be used to make it a high availability tier for RDS.

NOTE: this article pertains to the Remote Desktop Connection application.  RDS applications published through the Web interface or via RDP or MSI files are configured by the setting specified in the RemoteApp Manager.

Disclaimer - Group policy description copy and pasted from group policy directly

03 November 2011

Run any executable as a service

Generally speaking applications are either foreground user interactive apps or background services.  Sometimes there is a requirement to run one of these foreground applications as a service.  This process will cover this.  I will be using uTorrent in this example.

Additional required software
Service applications are made to be run as services.  Foreground apps are not, to get them to behave like services you need a "service wrapper"  This service will manipulate the application as if it were a service.

There are a few flavors out there but I am going to use instsrv.exe and srvany.exe.  These tools are part of the Windows 2003 resource kit.  http://www.microsoft.com/download/en/details.aspx?id=17657


  • Download and install the resource kit in the default location. c:\Program Files (x86)\Windows Resource Kits\Tools\


(As far as I could figure sc.exe allows you to create the service registry entries but it does not provide a wrapper like srvany does)

Preparing the service account
One of the advantages of running as a service is that you can choose the user account the application runs as.  In the uTorrent example it allows us to specify specific application setting in the application GUI.  When it starts up as that user account those settings are used.  If it is started as another account the default settings are used.

Service accounts are generally never used to log into a machine with.  Instead they tend to be local accounts with non expiring passwords.  This provides a "static" environment for the application to operate in.

  • Create and or Log on as the "service account"
  • Launch the application and make all required changes  - For uTorrent we are enabling the webUI Web interface and setting connection port and credentials.

Creating the service
This is a two step process. The first one will create the registry entries for the service wrapper.  The second part you will need to configure the wrapper settings.

  • Open a command prompt as an administrator
  • Enter the following:

C:\>"c:\Program Files (x86)\Windows Resource Kits\Tools\instsrv.exe" uTorrent " c:\Program Files (x86)\Windows Resource Kits\Tools\srvany.exe"


  • It should complete with the line "The service was successfully added!"


At this point you have created the wrapper service but not specified what the wrapper is supposed to execute.


  • Open regedit
  • Expand HKLM\System\CurrentControlSet\Services\
  • Located the service you just created (uTorrent)
  • Create a new sub key called Parameters
  • In the Parameters key create a string called Application
  • Specify the path to your executable no quotes required




At this point you now have a service that will execute your required application.  Next up you must define options you want to apply to the actual service.

Configuring the service
The following can be done from the services manager or by using sc.exe

  • Open the services manager
  • Locate and open the uTorrent service
  • From the General tab choose the Startup type (normally Automatic)
  • On the Log On tab change it to the service account created earlier

If it is a local account you can use .\account otherwise it must be domain\account


For far more granular setting pertaining to the service use the sc.exe command line utility.  Check http://support.microsoft.com/kb/251192 for more info.  This allows you do do things like set a description set the severity of the service failure etc.

Testing
To see that everything is working perfectly you should be able to restart the machine. Log on as another user and check the following:

  • The service should be running
  • The process should be running as your specified users
  • The application should be up and running as expected




More on using torrents
http://fixmyitsystem.com/2011/10/building-corporate-torrent-tracker.html
http://fixmyitsystem.com/2011/10/using-private-torrent-to-transfer-large.html
http://fixmyitsystem.com/2011/11/run-any-executable-as-service.html



Additional Links
http://support.microsoft.com/kb/137890/en-us

http://support.microsoft.com/kb/197178
http://www.deciphered.net/blog/2007/04/25/howto_install_utorrent_service_windows_home_server_whs_ctp
http://www.ehow.com/how_7421438_run-utorrent-service.html