Service network access restrictions
Over the years, services running in Windows have become more and more dependent on being accessible to the network or accessible by other computers on your network. Services that face the network in this way are more vulnerable to attack since, in order to work their magic, these services are just waiting for remote connections, making them more susceptible to malicious activity.
Under Windows Vista, a developer can restrict a service's access by TCP/UDP port, protocol, or even by the direction that network traffic is flowing. When restrictions like these are in place, attempts to access a service using other methods will be blocked, protecting that service from some attack vectors.
Windows Vista services can also be configured to not allow network access in which case the service cannot be remotely exploited, but neither can the service make connections to remote services. However, not every service really needs network access.
Windows Vista's service-level network access restrictions hardening feature works in a similar fashion, as the service isolation feature in that the restrictions are implemented through the use of service-level SIDs.