Actually there are additional possibilities!
I keep connection strings in a component which is compiled as a Windows
Service on a particular machine in our network. All our applications send
an application token to this service to request the connection string via
..NET remoting. The advantage is that the connection strings are all in one
project (the client DLLs for accessing the component just have empty stubs
for the methods). The only machine they can be physically found on is
locked up in a secure room and is not accessible to anyone via the network
other than development staff. Someone with enough knowledge of Remoting
could probably figure out how to call the component, and eventually we may
add encryption for another layer of protection, but for now there are only 3
people in the organization who have the requisite skills to get at this
info, and we all need to know the passwords involved, anyway.
If you are concerned about security I'm not sure that either the registry or
a config file is a very secure place for this kind of info. Given only
those two choices to work with, I'd lean towards a config file -- probably
one dedicated to sensitive info, that is shared by all application instances
if possible. That way the info is located in one place rather than in the
registry of every machine that might run the app, and you can probably
secure it more effectively if it's only a single location to deal with.
My $0.02, anyway ...
--Bob
