Which practice reduces the attack surface on network devices?

Reducing the attack surface on network devices means cutting back on the number of entry points that an attacker could exploit. Every active service, port, or feature adds another avenue a bad actor might try to abuse, so keeping only what’s absolutely needed lowers risk. Disabling unused services directly achieves that goal. When a service isn’t running, its associated ports aren’t open and there are fewer code paths that could be misconfigured or exploited. This makes it harder for attackers to find a way in and also reduces maintenance complexity, since there are fewer components to monitor and secure. Enabling all services would widen the attack surface, creating more potential targets. Using weak passwords creates a different risk vector—credential compromise can occur even if the surface is otherwise minimized. Delaying firmware updates leaves known vulnerabilities unpatched, so even with fewer services, a device can still be exploited through outdated software.