One of the security principle that can be applied to software systems is the principle of least privilege (PoLP). The principle of least privilege, which is sometimes referred to as the principle of least authority, informs us that the least amount of privileges that are necessary should be granted to a user or process in order to reduce security risks. Following this principle is one way to minimize the attack surface.
In addition to each user being granted as few privileges as necessary, each component of a system should only be granted the privileges that are necessary. Components that are complex should not have a large number of privileges. If necessary, complex components may need to be split up into simpler components.
It may take some effort to determine what the least amount of privileges actually is, but even though it may be easier to assign more privileges than are necessary, being as precise as possible with the level of privileges that are necessary will minimize the attacker surface.