It is very necessary that the configuration files need to be
encrypted. This encryption enables the security for configuration files. Hence,
they cannot be read by any text editor. The configuration files may have
crucial information which should be protected. It may contain simple User
credentials or database information access information like Server name, Database
Name, User ID and Password. Protected configuration enables us to encrypt
sections of an ASP.NET application's Web.config file in order to protect
sensitive information used by the application.
This can improve the security of our application by making
it difficult for an attacker to gain access to the sensitive information even
if an attacker gains access to your Web.config file. ASP.NET includes two
protected configuration providers that can be used to encrypt sections of a
Web.config file: RSAProtectedConfigurationProvider, which uses the
RSACryptoServiceProvider to encrypt configuration sections, and
DPAPIProtectedConfigurationProvider, which uses the Windows Data Protection API
(DPAPI) to encrypt configuration sections.
A powerful feature has been introduced in ASP.NET 2.0 where
the configuration file can be encrypted. Almost all the sections can be
encrypted including the user defined sections. Some of the sections like
<HttpRuntime> cannot be encrypted. These sections are accessed from IIS
and should not be encrypted.