I find your points less than compelling.
Just because people often store connection strings in plain text does not make it a "best practice" or even acceptable.
According to Microsoft "Protecting access to your data source is one of the most important goals when securing an application. A connection string presents a potential vulnerability if it is not secured. Storing connection information in plain text
or persisting it in memory risks compromising your entire system." (See:
As to point 2 ("We avoid putting Orchard app settings (like connection strings) in Web.config" ), have you considered the use of external configuration files?
"External configuration files are separate files that contain a fragment of a configuration file consisting of a single section. The external configuration file is then referenced by the main configuration file. Storing
the connectionStrings section in a physically separate file is useful in situations where connection strings may be edited after the application is deployed. For example, the standard ASP.NET behavior is to restart an application domain when
configuration files are modified, which results in state information being lost. However, modifying an external configuration file does not cause an application restart. External configuration files are not limited to ASP.NET; they can also be used by Windows
applications. In addition, file access security and permissions can be used to restrict access to external configuration files. Working with external configuration files at run time is transparent, and requires no special coding."
While integrated security has a lot going for it, it is far from a panacea. Three points come to mind immediately:
1) The "double hop issue" when your database server is on a seperate computer from your IIS server (See:
2) Would not the requirement to use integrated security virtually eliminate the possibility of using shared hosting?
3) Requiring integrated security would preclude a MONO version of Orchard as a practical matter (in that any computer with integrated security would be a Windows computer with .Net already supported).