Question CPU Red alarm level

[Curtis1]

Hi
I have a question.

Every so often I will get a plesk alarm email indicating that the CPU Usage has changed to "red". I just looked at the last 5 that I got, spread over the last few months. In every instance, the only processes shown that are running are the same 3 processes :

csrss.exe
winlogon.exe
LogonUI.exe

Am I to believe that logon attempts are causing high CPU usage ?
If it is not me logging in, would this imply someone is trying to hack into the server and blasting it with login attempts ?

Is there some other info i can look at to see what might be causing this ?
I sort of find it hard to believe it is hack attempts, otherwise I would think it would be happening every day or at least several times a week. But i might only get these alerts maybe once a week.
Any suggestions or ideas ?

 

[PavelV]

In case you assume someone trying to hack your server with login attempts, you should look at Event Viewer->Windows Logs->Security log.
There should be logged attempts to login to your server.

If you can find that there are lot of RDP login attempts, you can try to:
1) change default RDP port from 3389 to something unusual
2) check that Network Level Authentication is enabled for RDP. In case it is disabled Windows will try to start UI process for hacker trying to brute force attack your server. UI process wastes CPU time.