diff --git a/cmd/tailscaled/tailscaled.service b/cmd/tailscaled/tailscaled.service
index 71dc89f1b..447b9cb21 100644
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -20,5 +20,16 @@ CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify
 
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+ReadWritePaths=/etc/
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target