diff --git a/data/Makefile.am b/data/Makefile.am
index d71c5c5..6043b08 100644
--- a/data/Makefile.am
+++ b/data/Makefile.am
@@ -15,7 +15,7 @@ if HAVE_SYSTEMD
 systemdservicedir       = $(systemdsystemunitdir)
 systemdservice_DATA     = $(systemdservice_in_files:.service.in=.service)
 $(systemdservice_DATA): $(systemdservice_in_files) Makefile
-	@sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@
+	@sed -e "s|\@libexecdir\@|$(libexecdir)|" -e "s|\@localstatedir\@|$(localstatedir)|" $< > $@
 endif
 
 polkitdir = $(datadir)/polkit-1/actions
diff --git a/data/fprintd.service.in b/data/fprintd.service.in
index cbf88d4..150e58a 100644
--- a/data/fprintd.service.in
+++ b/data/fprintd.service.in
@@ -6,3 +6,23 @@ Documentation=man:fprintd(1)
 Type=dbus
 BusName=net.reactivated.Fprint
 ExecStart=@libexecdir@/fprintd
+
+# Filesystem lockdown
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@localstatedir@/lib/fprint
+ProtectHome=true
+PrivateTmp=true
+
+# Network
+PrivateNetwork=true
+
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+# Modules
+ProtectKernelModules=true
+
+# Real-time
+RestrictRealtime=true