Prevent service accounts from logging in locally or remotely
You can create settings in your local group policy (gpedit.msc) to achieve this. Look under Computer Config | Windows Settings | Security Settings | Local Policies | User Rights Assignment. The specific ones you want are Deny logon as a batch job, Deny logon locally and Deny logon through Terminal Services.
You can also tune some of the other settings here, such as Access this computer from the network, to harden it further.
It goes without saying, but make these changes one at a time, and test your service works correctly after each one before proceeding to the next.