Plain text/unencrypted connectionStrings in your web.config file poses many risks as it allows for the viewing of database credentials which can be used for further attacks.

A typical connectionStrings tag in your web.config file will look similar the figure below (with different database, user id and password values):

Encrypting the connectionStrings section of the Web.Config File

1. In a text editor, open the Web.config file for your application.
2. Make sure that there is a <connectionStrings> child element.
3. Close the Web.config file.
4. Launch the command prompt as Administrator and change the directory to the .NET Framework version which can be found in the <WINDOWSDIR>\Microsoft.Net\Framework\version directory.
5. Using the aspnet_regiis.exe command-line tool, type the command below with the parameters to match your application:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis -site “Demo Site” -app “DemoApp” -pe “connectionStrings”

You can learn the meaning of the added parameters by typing aspnet_regiis.exe /? on the command line.

---

Your connectionStrings section will now look similar to this:

---