Run your service as Local Server or Network Service, not Local System.
Restrict the token for your service. Be sure to work out the ACLs needed for your objects first!
Use the service account SID in the access controls for the service’s resources.
Restrict the privileges available to the service.
Create restrictive firewall rules to reduce network attack surface.
Think about how your service will communicate with the desktop, and use correct mechanisms.