diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index d0cd8b732e..b27b8d2dd8 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -21,8 +21,16 @@ TimeoutStartSec=600
 
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_BPF CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
 
-ProtectSystem=true
+PrivateTmp=true
+
+ProtectClock=true
+ProtectControlGroups=true
 ProtectHome=read-only
+ProtectKernelLogs=true
+ProtectSystem=true
+
+RestrictRealtime=true
+RestrictSUIDSGID=true
 
 # We require file descriptors for DHCP etc. When activating many interfaces,
 # the default limit of 1024 is easily reached.