How Is The Application Configuration File Protected From Tampering?

How is the application configuration file protected from tampering?

The attack scenario: Can an "end user" check the database connection string to get the database privillage.

The best way to encrypt configuration settings is with DPAPI, the Data Protection Application Programmer's Interface:

This Data Protection API (DPAPI) is a pair of function calls that provide OS-level data protection services to user and system processes. By OS-level, we mean a service that is provided by the operating system itself and does not require any additional libraries. By data protection, we mean a service that provides confidentiality of data through encryption. Since the data protection is part of the OS, every application can now secure data without needing any specific cryptographic code other than the necessary function calls to DPAPI.

The better article describe it.

http://weblogs.asp.net/jgalloway/archive/2008/04/13/encrypting-passwords-in-a-net-app-config-file.aspx

This article discucese the CryptProtectData API and ConfigManager.

http://www.codeproject.com/Articles/15392/Implementing-Protected-Configuration-With-Windows

This article use the ProtectedConfiguration API to protect sensitive information in your application’s configuration file.

http://www.grimes.nildram.co.uk/workshops/secWSFifteen.htm

About SecureString.

http://msdn.microsoft.com/en-us/library/89211k9b(VS.80).aspx

Securing Connection Strings.

http://blogs.msdn.com/b/rickrain/archive/2012/02/27/using-a-server-certificate-to-protect-web-config.aspx

Using a Server Certificate to Protect Web.Config

The custom protected config provider sample is here