Web.Config Security on shared server

[experience]

My web.config contains passwords to my database and smtp and i want to tighten up the security, i want to protect the passwords fully so if a hacker or webhost employee accessed all the webserver files the passwords cannot be easily accessed

I run on a shared host so using encryption could be an issue as i havnt got full IIS access - i havnt gone down that road yet to look fully into it

I was thinking it might be easier and secure enough if i moved the connection strings & passwords from the web.config into a referenced .dll which was protected by a professional obfuscation tool

[sapator]

If you have physical access to the server you can use aspnet_regiis to encrypt. Only drawback is that another person having access to the server could decrypt.
Moving to a dll don't make much sense because someone having physical access will get the dll and open it.
Using obfuscation is something i haven't tried on asp.net and i cannot be sure about the behavior of the web pages or IIS.
Bottom line if someone can have physical access to your files then you have a problem.If you have your sql server on another machine without access from another then maybe you can move your passwords there and call them in code.
Or maybe move your a web config there, have a small web project to decrypt the passes and transfer them to your current web site(with HttpWebRequest or something similar.Of course here someone can intercept the message so it may have to be encrypted, bummer ).
Anyhow the simplest is to encrypt the web.config on the server.