Depends.
Are you using plain web services or WSE/WCF web services
Do you wish to use transport level or message level authentication.
You will need WSE or WCF to do message level authentication.
How are you authenticating users? Integrated security, client certificates, Basic, Digest…
For plain web services (no WS-Security) you only have the option of using IIS security for restricting access. Unless you modify the web service to implement your own access control.