I'm working on a project at work that's Web Forms, C# and ASP.Net. The code is old.
Instead of using webconfig to hold connection strings and app settings, they have an XML file. In it, they have something like for the connection string
<add value="Server=DVSTL;Database=DVwhatever;Min Pool Size=2" key="Data.ConnectionString"/>
<add value="[enc]encrypted value here==" key="DataDB.CV.PWD"/>
<add value="[enc]encrypted value here=" key="DataDB.UID"/>
There's more in this XML file. There's an XML file for each environment.
Yesterday, we had a meeting about this and my manager said this was done for security because if we have the encrypted connection string in Web Config, someone can get that section...behind a firewall ... and decrypt the values/
I worked at another company last year where all the connection strings were in Web Config and the environemnt was big on security. We even had the dev environment's connection string encrypted.
I suggested removing the XML and just using the web config.
My question is... can web config's connection string... when encrypted.... be stolen and decrypted? with or wothout firewall.