Download and install fal_securedownload through extension manager or clone from https://github.com/beechit/fal_securedownload.git in typo3conf/ext/
Create non public file storage (under rootlevel)
Un-check the 'public' checkbox for your existing file storage or create a new file storage and set it to non public
Best is to have the fysical folder outsite of your document root. If not add an .htaccess with "Deny from all" (Apache < 2.3) or "Require all denied" (Apache >= 2.3) in your file storage root folder.
Set fe_group permissions to a file or folder of the non-public file storage