diff --git a/one.cpp b/one.cpp
index 46a23b1ee..ba5be9b18 100644
--- a/one.cpp
+++ b/one.cpp
@@ -2235,6 +2235,27 @@ int main(int argc,char **argv)
 		}
 	}
 
+	// Check and fix permissions on critical files at startup
+	try {
+		char p[4096];
+		OSUtils::ztsnprintf(p, sizeof(p), "%s" ZT_PATH_SEPARATOR_S "identity.secret", homeDir.c_str());
+		if (OSUtils::fileExists(p)) {
+			OSUtils::lockDownFile(p, false);
+		}
+	}
+	catch (...) {
+	}
+
+	try {
+		char p[4096];
+		OSUtils::ztsnprintf(p, sizeof(p), "%s" ZT_PATH_SEPARATOR_S "authtoken.secret", homeDir.c_str());
+		if (OSUtils::fileExists(p)) {
+			OSUtils::lockDownFile(p, false);
+		}
+	}
+	catch (...) {
+	}
+
 	// This can be removed once the new controller code has been around for many versions
 	if (OSUtils::fileExists((homeDir + ZT_PATH_SEPARATOR_S + "controller.db").c_str(),true)) {
 		fprintf(stderr,"%s: FATAL: an old controller.db exists in %s -- see instructions in controller/README.md for how to migrate!" ZT_EOL_S,argv[0],homeDir.c_str());
diff --git a/osdep/OSUtils.cpp b/osdep/OSUtils.cpp
index 36814523a..e237325c4 100644
--- a/osdep/OSUtils.cpp
+++ b/osdep/OSUtils.cpp
@@ -257,6 +257,16 @@ void OSUtils::lockDownFile(const char *path,bool isDir)
 			CloseHandle(processInfo.hProcess);
 			CloseHandle(processInfo.hThread);
 		}
+
+		// Remove 'Everyone' group from R/RX access
+		startupInfo.cb = sizeof(startupInfo);
+		memset(&startupInfo, 0, sizeof(STARTUPINFOA));
+		memset(&processInfo, 0, sizeof(PROCESS_INFORMATION));
+		if (CreateProcessA(NULL, (LPSTR)(std::string("C:\\Windows\\System32\\icacls.exe \"") + path + "\" /remove:g Everyone /t /c /Q").c_str(), NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &startupInfo, &processInfo)) {
+			WaitForSingleObject(processInfo.hProcess, INFINITE);
+			CloseHandle(processInfo.hProcess);
+			CloseHandle(processInfo.hThread);
+		}
 	}
 #endif
 #endif