Download and install fal_securedownload through extension manager or clone from https://github.com/beechit/fal_securedownload.git in typo3conf/ext/
Create non public file storage (under rootlevel)
Un-check the 'public' checkbox for your existing file storage or create a new file storage and set it to non public
Best is to have the physical folder outside of your document root. If not, add an .htaccess with "Deny from all" (Apache < 2.3) or "Require all denied" (Apache >= 2.3) in your file storage root folder.
Set fe_group permissions to a file or folder of the non-public file storage