Your connection string can either have a specific username and password in it, or it can use integrated security (Windows security). I haven't set one up in a while, but I think it's something about "trusted connection=yes" or something like that.

The disadvantage to including the username and password in the connection string is that this can then be captured pretty easily and used to hack your database. Of course, if it's connecting from a web server on your LAN to a database server on the same LAN, it's unlikely to be hacked that way. It's mainly an issue if the application will ever be used from a desktop machine.