the current implementation of asp.net does not allow true security (another
site on the same server often has enough permission to do a successful
attack). the trick to security is where to hide key (application block
approach ), or when you request the key how to prove who you are (missing in
asp.net).
the application block uses a registry key that the application picks. But
any app on the web server has permission to the resource file where the key
name is stored and the registry where the key is stored, so they can lookup
the key and get the data. so you need to lock down the registry. this works
if your site is anonymous and you have a nt account for your site, but will
not work if you use authencation.
-- bruce (sqlwork.com)