Restrict access to minifilter driver and it's IRP_MJ_DEVICE_CONTROL

I have a minifilter. I want to restrict access to driver’s IOCL (1) at least so non elevated users cannot call DeviceIoControl. The best will be (2) to restrict calls to IOCL to my user mode process only (it runs elevated), as IOCL exposes very powerful functionality.

From user mode I open driver like this:

HANDLE hDrv = CreateFileW( L"\\\\.\\DriverName", GENERIC_WRITE | GENERIC_READ, 0, NULL, OPEN_EXISTING, 0, NULL);

Then call IOCL like this:

#define MAKE_DANGEROUS_THING_IOCL  CTL_CODE( SIOCTL_TYPE, 0x804, METHOD_BUFFERED, FILE_READ_DATA|FILE_WRITE_DATA)
DeviceIoControl(hDrv, MAKE_DANGEROUS_THING_IOCL, nullptr, 0, readBuffer, sizeof(readBuffer), &dwBytesRead, NULL)

In driver I have:

extern "C" NTSTATUS DriverEntry(__in PDRIVER_OBJECT DriverObject, __in PUNICODE_STRING RegistryPath)
{
    IoCreateDevice(DriverObject, 0, &DEVICE_NAME, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &gMyDevice);
    IoCreateSymbolicLink(&DEVICE_SYM_LINK, &DEVICE_NAME);
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = Function_IRP_DEVICE_CONTROL;

I tried to put in the .inf file the following ACL that I expect should prevent opening driver from interactive users:

[MiniFilter.AddRegistry.security]
"O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"

But I had no luck, CreateFileW and DeviceIoControl successfully execute from the non elevated user.

What am I doing wrong? How can I restrict IOCL functionality to admins or to my process only?

I found a problem with my approach. This

[MiniFilter.AddRegistry.security]
"O:SYG:SYD:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;IU)(A;;CCLCSWLOCRRC;;;SU)"

is to restrict access to registry only. So I changed INF file to this, so security settings will affect driver:

[DefaultInstall.Services]
AddService          = %ServiceName%,,MiniFilter.Service
[MiniFilter.Service]
Security         = "D:(A;;;;;IU)(A;;;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)"

But even with no rights to the interactive users, I still can CreateFileW and DeviceIoControl successfully from the non elevated user.

Looks like this rights affect driver as an object of manipulation from the service manager, not as a Driver Object as I expected.

Any idea how to protect IOCL from calling by non elevated users?

You want IoCreateDeviceSecure.

I found that this works as I want too (can CreateFileW( L"\\\\.\\DriverName", ...) for admins, cannot for non-admins):

status = IoCreateDevice(DriverObject, 0, &DEVICE_NAME, FILE_DEVICE_DISK_FILE_SYSTEM, FILE_DEVICE_SECURE_OPEN, FALSE, &gMyDevice);

I replaced FILE_DEVICE_UNKNOWN with FILE_DEVICE_DISK_FILE_SYSTEM

Is it ok to use FILE_DEVICE_DISK_FILE_SYSTEM with a minifilter?

Why not use IoCreateDeviceSecure and not have to rely on some implementation detail?