diff --git a/src/iwd.service.in b/src/iwd.service.in
index a16c17e5..77819eaf 100644
--- a/src/iwd.service.in
+++ b/src/iwd.service.in
@@ -21,6 +21,7 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ConfigurationDirectory=iwd
 StateDirectory=iwd
+StateDirectoryMode=0700
 
 [Install]
 WantedBy=multi-user.target
diff --git a/tools/run-iwd.sh b/tools/run-iwd.sh
index caab4677..c2220cf5 100755
--- a/tools/run-iwd.sh
+++ b/tools/run-iwd.sh
@@ -16,6 +16,7 @@ systemd-run \
 	--property=ProtectSystem=strict \
 	--property=ProtectControlGroups=yes \
 	--property=ProtectKernelModules=yes \
-	--property=StateDirectory=iwd \
 	--property=ConfigurationDirectory=iwd \
+	--property=StateDirectory=iwd \
+	--property=StateDirectoryMode=0700 \
 	./src/iwd $*
diff --git a/wired/ead.service.in b/wired/ead.service.in
index 55d72fc8..387fdb68 100644
--- a/wired/ead.service.in
+++ b/wired/ead.service.in
@@ -20,6 +20,7 @@ ProtectControlGroups=yes
 ProtectKernelModules=yes
 ConfigurationDirectory=ead
 StateDirectory=ead
+StateDirectoryMode=0700
 
 [Install]
 WantedBy=multi-user.target