The web.config file is secured by IIS to not allow access to this file by users coming in through IIS. The only way to have access to this file is through NT. Therefore you can put login information in the file as long as you trust the people who have access to this file on the network.

Most of the time, you give individual security rights when you are running an intranet site and have limited users. You can also use NT groups and give rights to those groups, then assign users to a specific group.

Impersonation is used if you don't want to add ASPNET as a NT user on your domain or if you are running different sites, each with a different security needs. Impersonation can isolate to a specific web application and limit access for that one application separate from other applications running.

>Hi All,
>
>Using ASP.Net we are storing the SQL Server name and database name in the appSettings section of the web.config file. How do you folks go about making sure this info is secure.
>
>Should I tell my users the need to give the aspnet user access to the database and use NT Authentication exclusivly. Or, should I have them put a username and password in the config file? If they do this, how secure is it.
>
>What about impersonation? It seems, if I need a username/password of a windows user, this is just the same as storing the sql username/password.
>
>Thanks,
>BOb