Although, ASP.NET is configured to reject all HTTP requests
for resources with .config extension, if the malicious user still gains access
to web server's file system then sensitive information in configuration file
will be disclosed. It is fortunate that ASP.NET 2.0 mitigates this problem by
introducing encryption schemes for configuration files. We can either encrypt
or decrypt configuration files including Web.config and Machine.config either
programmatically or using aspnet_regiis.exe tool. We can read and write
configuration files for our application, for another application on the same
machine, or even an application on a different server. Even though it is a nice
feature to modify web.config file programmatically, it is not recommended to do
so frequently in a Web application because any change in the web.config file
will restart the Web server and refresh the cache entries. Hence, we should
consider the same before modifying config file. Moreover, encrypting and
decrypting data incurs performance overhead. We should encrypt only the
sections of our configuration file that store sensitive data to keep this
overhead to a minimum.