Web applications use connection strings to connect to databases with certain credentials and other configuration. For example: a connection string can tell your web application to connect to X database at ServerA by using Z username and Y password.
The connection strings are mostly stored in web.config. It means that connection specific information such as database name, username, and password are stored as a clear text in a file. This is definitely a security concern for your Production servers. This is why the connection strings should be encrypted.
You can use ASP.NET IIS Registration Tool (aspnet_regiis.exe) to encrypt and decrypt your connections strings. There are two scenarios to consider:
Encryption/decryption for a Single Server
Encryption/decryption for a Web Farm
Use the steps below for encryption and decryption when there is only one IIS server. The method below uses the default key provider
Run Command Prompt as Administrator
Go to C:\Windows\Microsoft.NET\Framework\v4.0.30319
Perform the command below to encrypt the connection string in your web.config: ASPNET_REGIIS -pef "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
Open web.config and check if the connection string is encrypted
Test the site
If you want to decrypt it back, run this command: ASPNET_REGIIS -pdf "connectionStrings" "D:\inetpub\wwwroot\applicationFolder"
Open the web.config and check if the connection string is decrypted
The method above won’t work for web farms because IIS servers won’t be able to decrypt the connection string encrypted by each other. You need to create and use an RSA key along with the RSA key provider so all servers can have the same key for decryption.