securing app.config - VB.Net 3.5

Question

I'm using Visual Studio 2008 Pro to create a VB Winform App. I have some custom configuration settings as well as a MS SQL connection string in my app.config file.

1. What is the best method to insure that no one can read these settings in the app.config?
2. Are there any other area's that would have the connection string in plain text that I might want to consider securing as well?

Thank you!

Answer 1

One method to protect your app.config is to encrypt it from prying eyes. Check out this article on Encrypting Passwords in a .NET app.config File or this one on Encrypting the app.config File for Windows Forms Applications.

In response to part two of your question: memory! Unencrypted data can hang around in unprotected memory until the Garbage Collector picks it up. So for that reason you'll want to look at using the SecureString class whenever you deal with passwords, connection strings and the like. The first article touches on this point.