diff --git a/NEWS b/NEWS
index f426c29cb..28ba89c4d 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,7 @@ ver 0.19.20 (not yet released)
 * output
   - winmm: fix 8 bit playback
 * fix gcc 7.0 -Wimplicit-fallthrough
+* systemd: paranoid security settings
 
 ver 0.19.19 (2016/08/23)
 * decoder
diff --git a/systemd/mpd.service.in b/systemd/mpd.service.in
index c02f55e8d..250ab521c 100644
--- a/systemd/mpd.service.in
+++ b/systemd/mpd.service.in
@@ -12,6 +12,15 @@ LimitRTTIME=infinity
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes
 
+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
 [Install]
 WantedBy=multi-user.target
 Also=mpd.socket