Why .NET Data Provider for SQL Server does not Accept Windows Username and Password in Connection String?

Question

According to MSDN when constructing a connection string for SQL Server:

If User ID and Password are specified and Integrated Security is set to true, the User ID and Password will be ignored and Integrated Security will be used.

Now the question is why the data provider does not let the user to hard code a specific Windows username and password in connection string?

How is this worse than hard coding a SQL username and password?

Isn't it better to configure SQL server to only accept Windows logins (basically disable SQL authentication) and on client side specify Windows username and password, rather than running SQL server in mixed mode (both Windows and SQL authentication enabled) and create a SQL user for every single database server/instance and specify SQL username and password in connection string?

At least when using Windows authentication you just need to manage one domain user, but in case of SQL Server authentication you have to manage a user per SQL server/instance.

Answer 1

The point of integrated security is so that you aren't hard coding a username and password. This prevents an attacker who might gain access to the machine from reading the configuration file and learning domain usernames and passwords.

It's a security mechanism that mitigates machine compromising.