How to Block Executable Content from Email & Webmail (Windows Server 2025)

Xitiz Basnet

Published Apr 29, 2026

Executable files delivered through email or webmail are a common attack vector. In this guide, I’ll walk you through how to use Group Policy + Attack Surface Reduction (ASR) to block them effectively in a domain environment.

📌 Why This Matters

Blocking executables from email clients and webmail helps:

Reduce malware and ransomware risks
Strengthen endpoint security
Enforce safer user behavior

⚙️ Step-by-Step Configuration

1️⃣ Open Group Policy Management

Go to Server Manager
Navigate to Tools > Group Policy Management
Select your domain (e.g., xitiztechservices.local)

2️⃣ Create a New GPO

Go to your OU (e.g., Domain_Users)
Right-click → Create a GPO in this domain, and link it here
Name it: Block Executable Content From Email Client and Webmail

3️⃣ Edit the GPO

Right-click the Block Executable Content From Email Client and Webmail GPO → Edit

4️⃣ Navigate to ASR Settings

Computer Configuration 
> Administrative Templates 
> Windows Components 
> Microsoft Defender Antivirus 
> Microsoft Defender Exploit Guard 
> Attack Surface Reduction

5️⃣ Configure ASR Rule

Open: Configure attack surface reduction rules
Set to Enabled

👉 Click Show under: Set the state for each ASR rule

Add the following:

Value Name (GUID): 3B576869-A4EC-4529-8536-B80A7769E899
Value: 1 (Block)

📌 This GUID specifically blocks executable content from email clients and webmail.

6️⃣ Apply the Policy

Run on both server and client:

gpupdate /force

🔄 Restart the client machine

🧪 Testing

Try opening an .exe file from email or web download.

🚫 Expected result:

This app can't run on your PC
To find a version for your PC, check with the software publisher.

✅ Final Thoughts

This is a simple yet powerful security hardening step using built-in Microsoft Defender capabilities.

Implementing ASR rules like this can significantly reduce your organization's attack surface without requiring third-party tools.

#CyberSecurity #WindowsServer2025 #GroupPolicy #MicrosoftDefender #ASR #ITSecurity #SysAdmin #EndpointSecurity

To view or add a comment, sign in

More articles by Xitiz Basnet

🚀 How to Remotely Run a Ping Test for Domain Connectivity (PowerShell Guide)

Apr 29, 2026

🚀 How to Remotely Run a Ping Test for Domain Connectivity (PowerShell Guide)

If you're managing an IT environment with multiple domain-joined systems, verifying connectivity between machines is…
Understanding Microsoft Verified ID: The Future of Digital Identity

Apr 29, 2026

Understanding Microsoft Verified ID: The Future of Digital Identity

In today’s digital-first world, identity is everything. Whether you’re logging into a service, verifying your…
How to Block Users from Installing Chrome Extensions (Windows Server 2022 GPO Guide)

Apr 29, 2026

How to Block Users from Installing Chrome Extensions (Windows Server 2022 GPO Guide)

In many organizations, controlling browser extensions is critical for security, compliance, and performance. By…
Teamwork Solves Problems — But Documentation Builds the Future

Apr 28, 2026

Teamwork Solves Problems — But Documentation Builds the Future

🔍 Introduction: The Reality of IT Work In every IT team, we face challenges daily—system failures, user issues…
Windows Server 2025 Security: Change Remote Desktop (RDP) Port on a Domain Controller

Apr 28, 2026

Windows Server 2025 Security: Change Remote Desktop (RDP) Port on a Domain Controller

Remote Desktop Protocol (RDP) is one of the most commonly targeted services in enterprise environments. Changing the…
How to Deploy Notepad++ to All Domain Computers Using Group Policy (Windows Server 2025)

Apr 28, 2026

How to Deploy Notepad++ to All Domain Computers Using Group Policy (Windows Server 2025)

🧾 Overview This guide explains how to deploy Notepad++ to all domain computers using Group Policy in Windows Server…
🛡️ How to Block VBS Scripts Using Group Policy (Windows Server 2025)

Apr 28, 2026

🛡️ How to Block VBS Scripts Using Group Policy (Windows Server 2025)

VBScript (.vbs) files can be a security risk if misused.
How to Deploy Notepad++ to All Domain Computers Using Group Policy (Windows Server 2025)

Apr 28, 2026

How to Deploy Notepad++ to All Domain Computers Using Group Policy (Windows Server 2025)

Automating software deployment across domain computers is a core skill for IT administrators. Here’s a practical…
How to Configure a DHCP Server on a MikroTik Router (Step-by-Step Guide)

Apr 28, 2026

How to Configure a DHCP Server on a MikroTik Router (Step-by-Step Guide)

Setting up a DHCP server on a MikroTik router ensures automatic IP assignment, making network management more efficient…
Disable Password Saving in Microsoft Edge for Domain Users (Windows Server 2025)

Apr 28, 2026

Disable Password Saving in Microsoft Edge for Domain Users (Windows Server 2025)

Controlling how users store credentials is a key part of enterprise security. One effective step is disabling password…

See all articles

📌 Why This Matters

⚙️ Step-by-Step Configuration

1️⃣ Open Group Policy Management

2️⃣ Create a New GPO

3️⃣ Edit the GPO

4️⃣ Navigate to ASR Settings

5️⃣ Configure ASR Rule

6️⃣ Apply the Policy

🧪 Testing

✅ Final Thoughts

More articles by Xitiz Basnet

🚀 How to Remotely Run a Ping Test for Domain Connectivity (PowerShell Guide)

Understanding Microsoft Verified ID: The Future of Digital Identity

How to Block Users from Installing Chrome Extensions (Windows Server 2022 GPO Guide)

Teamwork Solves Problems — But Documentation Builds the Future

Windows Server 2025 Security: Change Remote Desktop (RDP) Port on a Domain Controller

How to Deploy Notepad++ to All Domain Computers Using Group Policy (Windows Server 2025)

🛡️ How to Block VBS Scripts Using Group Policy (Windows Server 2025)

How to Deploy Notepad++ to All Domain Computers Using Group Policy (Windows Server 2025)

How to Configure a DHCP Server on a MikroTik Router (Step-by-Step Guide)

Disable Password Saving in Microsoft Edge for Domain Users (Windows Server 2025)

Explore content categories