diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 6181d15d77..334f030caa 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -21,6 +21,7 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 5144868bcb..0cb1bfa3ca 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -25,6 +25,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 OOMScoreAdjust=-250
+ProtectClock=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 23aa828591..ed573b8f3c 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -36,6 +36,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 1b69677496..2673146841 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index f73697832c..5723f1c1e2 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 5eee69933b..f3ebaa18a6 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -16,6 +16,8 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys
 
 [Service]
+DeviceAllow=block-* rwm
+DeviceAllow=char-* rwm
 Type=notify
 # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
 OOMScoreAdjust=-1000
@@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0
 KillMode=mixed
 TasksMax=infinity
 PrivateMounts=yes
+ProtectClock=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6