Ideas for CIS WorkBench as submitted to our Feature Upvote board. Ideas are ordered by 'new' and the 50 top matches are included. pr_hfwnlubmsz0yex4 2025-05-18T12:19:04Z sug_ln9ncgxbhdpb7re 2026-06-11T13:13:09Z 2026-06-15T14:14:20Z On my dashboard, there's a "quick link" to the list of published benchmarks (https://workbench.cisecurity.org/published/benchmarks?from=dashboard). This list has no search, nor the option to show all benchmarks on one page so I could easily use ctrl-F in my browser. Please add a search function to that list, if possible. The "normal" (not quick) list (https://workbench.cisecurity.org/benchmarks) has a search, so this list is the real quick one as I don't have to click through 72 pages. sug_g6lqjbb5okrhjto 2026-05-12T08:57:46Z 2026-05-19T13:22:43Z CIS Red Hat Enterprise Linux 9 Benchmark Section 1.6.2 (Ensure system wide crypto policy is not set in sshd configuration) is wrong. On RHEL9 system wide crypto policies are not set this way anymore. More info here: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#examples-of-opting-out-of-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies Neither audit nor remediation procedure does anything. Every RHEL9 will always pass this audit procedure. sug_x6ug1fqxgzrk1ol 2026-04-23T19:32:28Z 2026-05-11T13:10:25Z Within the Windows Server 2022 Benchmark v5.0.0 Build Kit, there is a callout in the PDF documentation to import GPOs for L1 Domain Controllers. Those CIS Group Policy Object Names are: User-L1, Services-L1, and DC-L1. When unzipping the package, there is no Services-L1, only Services-L2. sug_r2lymghkcift9dp 2026-02-16T15:28:25Z 2026-05-11T13:09:37Z Currently using the C4K-linuxmint-10-25-2025.iso to install CIS-configured Linux Mint 22.2 Cinnamon for the Reno Cigar Lions Club's Computers 4 Kids giveaways. I understand Linux Mint 22.3 "Zena" is now available. Is there an effort to install the CIS configuration and generate an iso for this newer version? There is no urgent need, just curious. Our client kids and their parents will get a pop-up indicating Zena is available to install. I am new to this and don't know if the CIS configurations from 22.2 will be overwritten or not and therefore cannot advise our clients appropriately. Please advise. sug_uijdzllfqflfknh 2026-04-30T08:07:05Z 2026-05-04T16:56:52Z For GitLab "1.1.5 Ensure there are restrictions on who can dismiss code change reviews" I think the audit procedure is not complete what happens after I "Expand Protected branches." sug_ansbib3mtwjnka8 2026-04-26T12:47:26Z 2026-04-27T13:23:12Z Can’t figure out how to change my account email. Please advise. sug_zi8cfexljajvwvu 2026-04-21T09:54:28Z 2026-04-27T13:19:15Z Add the moment the build kit and scan for CIS Microsoft Windows 11 Enterprise Benchmark v5.0.1 is fully setup on Active Directory. We would like to move our workloads from AD to Intune only for these Hybrid devices nothing is in place. The Intune for Windows 11 is missing allot of settings necessary add the moment. Add hopefully this month the version 5 will also be released for Intune. sug_pf3wfolqp5pz3ni 2026-04-13T10:51:42Z 2026-04-20T17:51:01Z CIS Red Hat Enterprise Linux 9 Benchmark Section 1.6.2 (Ensure system wide crypto policy is not set in sshd configuration) is wrong. On RHEL9 system wide crypto policies are not set this way anymore. More info here: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#examples-of-opting-out-of-system-wide-crypto-policies_using-the-system-wide-cryptographic-policies Neither audit nor remediation procedure does anything. Every RHEL9 will always pass this audit procedure. sug_zvpxk4cfdahgcbo 2026-04-10T06:56:23Z 2026-04-20T17:47:33Z I have reviewed several benchmarks, particularly those related to Windows Workstation and Windows Server. Overall, I found that most controls are well-defined and described in depth. However, I noticed that a few areas seem to be either missing or not fully covered—possibly due to limitations in automation. Specifically, it would be beneficial to include more detailed guidance, including overviews and remediation steps (or sub-sections), for the following areas: IP Security Wired Network configurations Public Key Policies Software Restriction Policies Providing additional context or structured remediation details for these categories would enhance completeness and usability. Additionally, if possible, it would be helpful to include a basic checksum verification script as part of the benchmark resources to support integrity validation. sug_l2yh8eogk5fsxqh 2026-04-13T11:01:08Z 2026-04-20T17:43:36Z for SUSE SLES 16? sug_l6r4hw8syc3quml 2026-03-07T09:12:22Z 2026-03-20T16:54:05Z Hi, I would be very helpfull to have a set of Benchmarks for CIS CAT Pro for instances of Windows Server where the customer uses a 3rd party Virusscanner/Firewall. At current customers are required (1) investigate which controls are Virusscanner/Firewall related and (2) set each of of them to manual. It would be very helpful if this would be possible from the get go. Maybe a checkbox in CIS CAT Pro to check where all these controls can de "deactivated"? With regards sug_ojn9u1punkor9o1 2026-03-10T03:50:58Z 2026-03-20T16:52:52Z 2.2.23 (L1) Ensure 'Generate security audits' is set to 'LOCAL SERVICE, NETWORK SERVICE' FAILED due to: Output 'printspoolerservice' && 'network service' && 'local service' Policy Value 'LOCAL SERVICE' && 'NETWORK SERVICE' I believe Windows 11 newest version includes 'printspoolerservice' by default in this, so the check fails. Maybe related to this? https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231 Would be good to review update your benchmark if required. Thank you EDIT - same for '2.2.24 (L1) Ensure 'Impersonate a client after authentication' is set to 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE'' Output 'printspoolerservice' && 'service' && 'administrators' && 'network service' && 'local service' Policy Value 'Administrators' && 'LOCAL SERVICE' && 'NETWORK SERVICE' && 'SERVICE' sug_gbli29o2vckudca 2026-03-19T13:22:28Z 2026-03-20T16:51:02Z There is no XML file available for F5, and the only version of F5 currently listed is archived. Could you upload a newer version or make the XML file available? sug_mbx0notmmpxuxt1 2026-02-26T19:01:41Z 2026-03-02T13:17:59Z sug_d0hbzfsg4xcz9ni 2026-02-20T09:09:53Z 2026-02-23T13:26:10Z Since new CISCAT 4.58/9 the regular Oracle19c Benchmark for unified auditing has been removed/disappeared. This was available until CISCAT 4.56/7. Please add this functionality or put it in place in the new coming ciscat-versions sug_0pcyiplmm3hgcmu 2026-02-20T18:42:40Z 2026-02-23T13:16:05Z From this page. (https://workbench.cisecurity.org/download/cis-cat/assessor). 404-Dead link - (https://workbench.cisecurity.org/community/30/discussions/12709) sug_qjzrqoooclp7ycr 2026-02-12T08:27:01Z 2026-02-17T15:35:26Z Outside CIS AIX we also have the PowerVM VIOs (AIX-based but configured differently and delivered separately from AIX), any thoughts on this? sug_eiemma5itliejoi 2026-02-12T08:24:11Z 2026-02-17T15:35:13Z Assessment for IBM HMC (hw appliance and virtual HMC) would be interesting. sug_zasqlbcvbcvrkpq 2026-02-16T09:16:07Z 2026-02-17T15:33:23Z Rather than relying on passwords, which you understandably want rotated (frequently), please adopt passkeys, which would be simpler for end-users, and more secure. sug_xu9b0kxomfuqz3x 2026-01-12T13:41:04Z 2026-02-04T14:22:56Z Hello, there is No Active License Keys for Orange. I can not use my Assessor Pro application. Do you know what happened? Regards Paweł Giergoń Orange Polska sug_mhjkf2x2gg1hdg6 2026-01-08T20:37:01Z 2026-02-04T14:18:47Z I get a lot of emails about work being done in Workbench, but few of them seem to give me the context I need within the email or in the link to understand what was actually done. For instance today I got an email that says "USER 1 modified recommendation 1.1.1 Enable 'aaa new-model'". When I select "View Recommendation" in the email I'm taken to the correct remediation but all I see if current version and 2 months ago. It doesn't seem like this was changed at all and if it was the UX is not showing that in any actionable way. I REALLY want to be involved in updates and I'm just struggling to use Workbench to see what's actually happening in these benchmarks. Seeing the history of a benchmark as it progresses is difficult at best, but feels impossible often. sug_xszuocxk9wb8dye 2026-01-28T13:51:01Z 2026-02-04T14:14:04Z i want to audit network security in the financial sector, for perfect assessment network efficiency i want a good checklists for the success of my audit points please provide me with great support and guide me for perfect work sug_h7wqwjik9nbujgd 2026-01-29T13:28:10Z 2026-02-04T14:08:42Z The option : Service principals can use Fabric APIs is not an option anymore. Probaply changed or removed. https://workbench.cisecurity.org/sections/3075062/recommendations/5003625 There should be an update for this check. sug_jhhffpozlk1xpd6 2026-01-12T17:29:05Z 2026-01-26T15:10:26Z I’m looking for a way to compare Windows 11 Enterprise CIS Benchmarks version 3.0 against version 4.0. It has been challenging to identify which policies have changed, which are new, and which have been removed. If there’s an effective method or tool for this comparison, please share your approach. If not, I’d like to suggest an enhancement request for a report or feature that provides a clear comparison between versions. Thank you! sug_sc75silfihnelyy 2025-12-30T14:34:10Z 2026-01-06T14:23:18Z The Benchmarks page (https://workbench.cisecurity.org/benchmarks) really needs basic functionality like filters. I should be able to pick an OS from dropdown. Thank you. sug_zdbappwbhgzvipp 2025-12-22T16:18:04Z 2025-12-29T14:35:22Z In our forked benchmark, we review each recommendation and the ones we will use have their status changed to "Accepted". But when we duplicate or fork from this benchmark in order to publish a minor/bug fix release, the status of all recommendations goes back to "draft". In relation to this, please provide a feature in the GUI or via API to bulk update the status of recommendations. At a minimum, please allow to change the status from the profiles section. Right now, to change the status we would need to go each recommendation individually and change it from that page. sug_sxpzscred76e8ih 2025-12-08T10:11:51Z 2025-12-08T14:52:55Z Dear CIS team, I totally understand your CIS account review process and that you want to disable accounts that are not used anymore. What I don´t understand is, that you require a mandatory password change, when I log-in again and confirm that I´m still using my account. I need my CIS workbench account rarely, but I need it. Having to change the password after every account inactivity notification also does not align to NIST SP 800-63-3 (Password reset - Required only if the password is compromised or forgotten.). Frequent changes of passwords lead to weaker passwords and annoys users. It would be highly appreciated if you could change that. Best regards Sebastian sug_7l6tntahxkqfz7a 2025-11-13T14:00:12Z 2025-11-21T15:45:24Z There is a continued lack of communication in the status of the release of v4.57 this is impacting my project and put at risk our longstanding recommendation of its use to our customers sug_zdjigykeqzte4mt 2025-11-11T08:51:27Z 2025-11-17T14:53:46Z Hi, I have looked into the profiles of CIS for Red Hat Enterprise, and found the checks for ASLR are implemented differently. (FP = False Positive) CIS Red Hat Enterprise Linux 7 Benchmark v4.0.0 §1.4.1 FP CIS Red Hat Enterprise Linux 8 Benchmark v4.0.0 §1.5.8 TP CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0 §1.5.1 FP CIS Red Hat Enterprise Linux 10 Benchmark v1.0.1 §1.5.8 TP Only RHEL 8 and RHEL 10 has working versions. Can you fix the RHEL 7 and RHEL 9 scripts? sug_ceafowfa68jxjcm 2025-10-31T19:09:01Z 2025-11-17T15:01:08Z If you visit https://workbench.cisecurity.org/support-center/pages/recorded-webinars you will see a link to a video on CIS-CAT Pro on Linux/Unix but the video link is for CIS-CAT Pro Dashboard and not CIS-CAT Pro for Linux. It does appear they might scan a remote system based on the intro...but should there be a video JUST on the tool for Linux? sug_ehtndxn5en9h5sa 2025-10-28T11:45:16Z 2025-11-25T20:34:30Z CIS Microsoft Windows Server 2016 Benchmark v4.0.0 2.3.10.1 (L1) Ensure 'Network access: Allow anonymous SID/Name translation' is set to 'Disabled' Below Audit procedure is technically not achievable Audit Procedure Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location with a REG_DWORD value of 1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa:TurnOffAnonymousBlock sug_hf5kuqdel3cum0k 2025-10-28T10:29:19Z 2025-11-25T20:36:48Z The Audit procedure for 2.6.6.6.2.1.1 in the Office Enterprise benchmark suggests the path to be: "HKEY_USERS\[USER SID]\SOFTWARE\Policies\Microsoft\office\16.0\excel\powerpoint\security\fileblock:binaryfiles". The excel directory does not contain a powerpoint directory. This can be fixed by removing "excel" from the path, since this control is targeted at the powerpoint section. This error is included in the currently published version 1.2.0 and the vNext. sug_bf3xt1qfxs1eyyh 2025-10-16T07:20:19Z 2025-10-20T11:59:51Z Dear Team, We are using Toad server but when we perform cis scan then we got an error oci error kindly check sug_vtyvvudpqpdaidr 2025-10-09T13:57:51Z 2025-10-20T11:58:07Z We see that motd accesses a server on AWS on port 8089. But should this service not be disabled, or at least not being able to contact servers on the internet and exchange information. We can not find explicid instructions on disabling motd , but it seems a irrelevant service that should be disabled. sug_pd5q0qkiudsw2q7 2025-10-03T03:05:25Z 2025-10-14T14:14:21Z add user button does not always work when I click on it. sug_869qhcwmfdkcozz 2025-09-24T14:11:03Z 2025-09-29T13:15:35Z When going to your v2.1.0 build kit => CIS Apple macOS 14.0 Sonoma Benchmark v2.1.0 - Build Kit We are offered to download this build kit => CIS_Apple_macOS_14.0_Sonoma_Benchmark_v2.0.0_Configuration_Profiles.zip But inside the zip file are the right recommendations (v2.1.0) => CIS_macOS_14_Sonoma_v2.1.0_Level_2.mobileconfig This caused us to delay implementation because we kept thinking our team members were uploading the wrong benchmark. Kindly Thank you for all the work you do. sug_n32wviyhaz28xo3 2025-09-22T06:56:50Z 2025-09-29T13:18:26Z in CIS Workbench Downloads, sorting by "updated" field is not working correctly. sug_tngjvl46wo2p3wm 2025-09-19T14:40:51Z 2025-09-22T15:56:28Z sug_7ejau2kitvxg8z3 2025-08-26T14:14:41Z 2025-09-02T15:30:45Z I was trying to search for build kits under the downloads section. If I typed in "build kits" it gave me many results. If I added additional words such as "windows", it provided no results, despite there being items with "windows" in their title that showed in the previous search results. I tried different strings such as "microsoft windows" and that yielded many results, however, if I then searched "microsoft windows build kits" it showed no results again. If I type in "microsoft windows server domain" it provides relevant results. So, it appears that the default search is set to only return results on exact matches of text strings/words in the order they are titled (vs. any order). Fixing this and/or providing a filtering breakdown function on the side would make it a lot easier, quicker, and nicer to use. Thank you. sug_pvu0h2g3ttjrsmx 2025-08-15T16:47:36Z 2025-09-02T15:33:22Z Tried to view the "What's changed" URL and got a 401 error. Assessor v4.56.0 (latest) Analyze target systems configuration and generate reports. See what's changed. sug_azij1fhuj1qlbe4 2025-08-14T14:51:13Z 2025-09-02T15:33:46Z why is there no search function within a benchmark? For example, I need to find all the controls that relate to PIN complexity in the "CIS Microsoft Windows 11 Enterprise Benchmark v4.0.0". I have not found another way to do this than downloading the PDF or xlsx and search the text in the files. sug_akgxkzmb2j5vpfg 2025-07-30T01:58:44Z 2025-08-04T14:52:01Z The control is about secure archive log location but the benchmark requirement is "Although there are many ways to ensure that your primary logs will be archived, we recommend using the value of DISK as part of the LOGARCHMETH1 parameter. This will properly ensure that the primary logs are archived. A finding of OFF is not acceptable." Why it is related to the control objective? sug_kw4ygmf8ei9thur 2025-07-23T19:24:52Z 2025-07-28T14:24:29Z Hey Guys, So my suggestion is that you make all your effort a little bit more intuitive or user-friendly, maybe also actualize the infos, I have the feeling there is not updated. ex.: CIS-CAT-LITE cannot remotely asses... correct me if Im wrong? I also asked for a pro version to test remotely... still today no answer... not even an autoresponder... I tried with the CIS-CAT-LITE Version, reading your docs it should be able to remote assess, no it is not. Tried to download a benchmark for ubuntu24, I got the PDF but not the benchmark, it is impossible to download it... So I tried to get some results 2 days and I have nothing... so maybe someone could help? or give some advice? sug_lyvmrui9pd8uspw 2025-07-22T15:32:26Z 2025-07-28T14:39:16Z On the CIS Published Benchmarks page, there are 22 pages with benchmark items. It would be useful to have a search bar to look for some titles. sug_nove9arxrxrmehs 2025-07-16T05:38:58Z 2025-07-21T12:19:34Z As per the title - this would allow us to sort things (usefully) quickly to keep up-to-date whereas currently sorting by those fields is...sub-optimal! ;-) sug_3bvhqfgoa69ivb1 2025-06-27T20:26:09Z 2025-06-30T12:25:30Z Just need a simple direct link to download CIS-CAT, but the email confirmation just directs to Workbench, and within Workbench it's not obvious to me. sug_dl37e1rcrgbmdhd 2025-06-18T13:26:32Z 2025-07-01T14:40:57Z For use with the CISCAT Pro Assessment tool XML files are used for checking you system against a benchmark, please ensure that all benchmarks have an XML file available for this purpose, rather than forcing users to have to create a workaround using Excel to create the XML file. sug_gooo5vcgx8cgwvz 2025-06-17T22:04:21Z 2025-07-01T14:44:13Z Hello I have run Assessor successfully on a Windows 11 before but ran into a machine that it stalled on at Credential Validation is equal to audit success failure . It won't go any farther. Tried gui and cli (with java 11) turned off bitlocker turned off defender running everything as administrator. I am at a dead end. would be nice to have just a IG1 benchmark thanks sug_osrw4wl7ktwfzfa 2025-06-09T12:33:13Z 2025-07-01T14:49:58Z sug_951ac5wyx9oeefp 2025-06-05T13:58:39Z 2025-07-01T14:52:30Z Hello all, At least on workbench the data page for 18.10.43.11.1.1.2 contains info on 18.10.43.11.1.1.1, not 18.10.43.11.1.1.2. Thanks