Although, ASP.NET is configured to reject all HTTP requests for resources with .config extension, if the malicious user still gains access to web server's file system then sensitive information in configuration file will be disclosed. It is fortunate that ASP.NET 2.0 mitigates this problem by introducing encryption schemes for configuration files. We can either encrypt or decrypt configuration files including Web.config and Machine.config either programmatically or using aspnet_regiis.exe tool. We can read and write configuration files for our application, for another application on the same machine, or even an application on a different server. Even though it is a nice feature to modify web.config file programmatically, it is not recommended to do so frequently in a Web application because any change in the web.config file will restart the Web server and refresh the cache entries. Hence, we should consider the same before modifying config file. Moreover, encrypting and decrypting data incurs performance overhead. We should encrypt only the sections of our configuration file that store sensitive data to keep this overhead to a minimum.