The database connection string is stored in the settings.xml file in clear text. Because of this you should use Trusted Authentication whenever able so the user name and password to your SQL Server is not contained in the file.
If you choose to specify the username and password then you should not store this file on any network share that unauthorised users can get access to.