Usually the config files for production environment are managed by the person responsible for the deployment and management of the system and are modified on the same machines as they are deployed to reduce the risk of being compromised between the development and the deployment process. In such scenario if an unauthorized person gets access to the production configuration files on your production machine you are already in big trouble because you have a security breach.
On the other hand while your assemblies are still sensitive they contain (or should contain) less security critical details while they are passing between different development, testing and integration workflows. So if a malicious person acquires any of them he/she may gain knowledge of the system's routines, but not where exactly the data is coming which gives you another layer of protection.
For your scenario with two separate projects you need to specify the configuration in the app.config file of the executable (your Windows or Console application) or in the web.config of your web application. For a web site you will use a web.config file in the root web site folder and it will not be compiled in the assembly.
If you need any further assistance do not hesitate to contact us.
Regards and Happy New Year,
OpenAccess ORM is now Telerik Data Access
. For more information on the new names, please, check out the Telerik Product Map