The last bit of service lockdown that you can do in Vista is to instruct Windows Firewall to link particular incoming and outgoing ports to particular services. That way, a compromised system can't start scanning ports. It certainly sounds like a great tool, but unfortunately as I write this in early October 2006, the only documentation about it is a short reference in a Microsoft white paper called "Vista Services." Search Microsoft's site for the paper; the reference is on pages 9 and 10.