I guess this is one of my pet hates/loves - too often i come across applications that makes it's database connection strings freely available to anybody who knows where to look.
As a junior developer, the main focus is generally just to secure the connection string and leave it at that - the IT guys knows what they're doing. But, untold amount of data is being transfered across domains, networks or even in the public, without any thought for how that data is secured.
I'm sure many that's worked in the finance industry (banking anyone) is aware of how important it is to secure that data...we're dealing with money here, so it's an obvious fact that it needs to be safe.
So, how do we do it? or do we care? i mean, the famous last words of any application exposed to the public is "it wouldn't happen to me, right?".
Where do we start?
Encrypting web.config connectionstrings
The obvious first choice would be to take whatever details you're storing in your config files and make it unavailable - check (web.config isn't readable from the web....or is it?).
naturally we don't want to encrypt everything - so lets just do those that are important for now.
aspnet_regiis -pe "connectionStrings" -app "/AppName" -prov "RsaProtectedConfigurationProvider"
aspnet_regiis -pd "connectionStrings" -app "/AppName"
Now we've encrypted the connectionstring - data is safe..nah, of course not - this only encrypts that section of the web.config with a machine-level key. data is still being transfered between servers in plain text.
Next is a simple way to ensure that your data is being encrypted - get hold of a SSL and use the SQLClient connectionstring ...