You can encrypt connection strings in your config files to help security some. If you're using SQL Server or Windows authentication, you do want all connections from the application server to the database server to be using the same login though, so that you can enable connection pooling:
https://msdn.microsoft.com/en-us/library/8xx3tyca(v=vs.110).aspx
You can change what login IIS would use with the database for Windows authentication in the Application Pool, Identity property:
https://www.syncfusion.com/kb/6897/how-to-add-permission-for-iis-application-pool-to-access-sql-server-database