We have an application which is not per user and can be used my multiple users simultaneously and data is also shared by all users. So the path we use data folders is ProgramData\OurAppName\Data (post Vista) and give full control to all users, so that our application run by them can make changes to files under Data folder.
Now the issue, with this, any other application (malware/virus) can also modify files i.e. an attack can be made on our application's data files. Our applications is Win32 Desktop application.
Is there anyway by which we can restrict the access to Data folder to only our applications?
The Windows security model is per-user, not per-application. So there is no built-in way to restrict access to files based on which application is making the request.
The proper solution is for a server program (either running on an actual server, or as a system service on the local machine) to have exclusive access to the files (which works because the server program will be running as a different user) and for the client application (the application the end users run) to make all requests via the server. The server can then vet the requests to make sure they are not destructive before carrying them out.
Possible ad-hoc solutions would include a system service that hands out access to the files to your application (via handle duplication) or a file system filter driver. These approaches could be bypassed easily enough, but might be adequate against common-variety viruses that are not targeting your application specifically.