In my research on services to disable on my new Windows 2008 box, I stumbled across a hidden security feature added to Windows 2008.... per-service security identifier (SID).

In previous operating systems if two services were running as "Local Service" then they could each access each others files. With per-service SIDs the services can still both run as "Local Service" but restrict access to their files/resources so that one another can not access them. This is because the OS is essentially creating its own identity for the service. This eliminates the administrative headache of creating a separate domain account for each service.

If you want to grant a service access to a specific file/registry key simply browse for NT SERVICE\<service name> and add it to the ACL list like you would for any normal account.

The simplest way to set this on a service is to use the sc.exe command to set the per-service SID to one of three modes. These modes are:

None - The service will not have a per-service SID (default)
Unrestricted - The service will have a per-service SID
Restricted - the service has a per-service SID and a write-restricted token.

Setting a service named MyCustomService to have an unrestricted per-service SID:
sc.exe sidtype MyCustomService Unrestricted

Setting a service named MyCustomService to have an Restricted per-service SID:
sc.exe sidtype MyCustomService Restricted

Viewing the settings of a service:
sc.exe qsidtype MyCustomService

Under the Restricted model the service can only write to files it has been explicitly been given access to. If your service only writes to one file then this is fairly easy but if it is a lot of files it can be quite time consuming.

Now I have not played with this much yet but I am a big fan of sand boxing applications to limit what they can do if exploited. My next windows 2008 service will definitely be using this great feature.