I'm attempting to figure out how to use a single well known login user/password for the db, then use the security system to authenticate, do roles/permissions, etc. I.e. I'm using a more 'web' like system within this winform app. I'm at a loss to determine a secure way to do this. I don't want the user's knowing much of anything about the database they are connecting to. Unfortunately the Connection Manager displays the database name and the user name when a shared settings file is used. The database name is OK (not great, just ok), but the user name is definitely not OK.



I could set the DataSources manually, but then I'm left with a bunch of other security holes, chiefly that most .net approved places to store app settings are done so in clear text or there are significant challenges to encrypt the app.config file.



Also, I will likely want to build the connection based on how they are connecting to the database, either locally or via some sort of VPN (some VPNs I've used required the IP, others the server name). I also need to use the TCP/IP library to connect (to SQL Server 2000), since this is how the VPNs work (at least the ones I'm working with). This all adds up to a quandary about how to connect to the database(s). The app needs to know the user name and passwords for each database it is connecting to, but these need to be secure. It is too easy to decompile a .net app, so placing it in the compiled code is not good. The app.config is clear text and encrypting it causes problems since I can't encrypt it easily in a way that allows any user of the app to decrypt it (as far as I understand it).



Is there any way to store these sorts of settings in a secure file, like the shared settings file for connections? Preferably, it would be just like the shared connections file, in that it could be on a UNC share (or local) or even better a secure web site. Any help would be greatly appreciated!