Is it really possible to protect a connection string in app. config?

Question

We want to protect the login information that is used to connect to our SQL Server database from a .NET windows application.

This information is stored as a connection string in an app.config file on the client PC.

Almost everywhere it is suggested you encrypt your connection string using

(ConnectionStringsSection)config.GetSection("connectionStrings").ProtectSection();

However, a malicious user that wants your database password, could just copy the encrypted config file, use it with it's own application, and call

(ConnectionStringsSection)config.GetSection("connectionStrings").UnprotectSection();

This will decrypt the connection string back to plain text.

Is there any way to really protect a database password in a .NET application that is stored on a user's PC?

EDIT: to further clarify the situation, we are indeed talking about a malicious user (read: competitor) that has access to the same PC and wants the password.

As a secondary measure, we first encrypt the password ourselves, save it to app.config and then call ProtectSection(). This will make Unprotect() output the encrypted password. But the user will still be able to decompile our code and figure out our encryption key and algorithm that is used...

Answer 1

a malicious user that wants your database password, could just copy the encrypted config file, use it with it's own application

This wouldn't work, unless the malicious user runs on the same computer, or has access to the encryption keys of your Protected Configuration Provider.

This is a reasonably strong protection, but if we suppose that web.config could be stolen, we must also suppose that the private key file could be stolen as well. Hence, protected option is "more secure" only in the sense that a kid next door would have harder time breaking it.

If your RDBMS is SQL Server, you could use its Integrated Security feature to avoid storing, and even creating, login credentials for the RDBMS.