You have basically six options:
Windows accounts are great on the intranet, not so great on Internet scripts (only built-in, customizable)
Username / password for ASP.NET membership system: you still need to store a database of valid users; depending on what you want to do, this may work for you (built-in, only configuration - you need to track your user base)
Certificates on client machines: only those machines that have the correct certificates are allowed; great for a closed user group, not so good in scripts related to Internet access (built-in, customizable)
Some required header is either checked on the basis of the database (for example, "valid header tokens"), or simply checked, for example. checksum calculation or something - anyone who knows your "secret" header will be able to call (built-in, requires a bit of coding to extract and verify the header).
Some custom solutions - you can define your authentication / authorization scenario and customize it to your liking; requires some code on your side, but gives you maximum flexibility (your own code completely)
No checks - just leave it open to everyone (only built-in, configure)
The extraordinary WCF guru, Juval Lowy, has an excellent article in the MSDN journal: WCF declarative security - maybe this can give you some additional tips and pointers. He basically defines five scenarios and discusses his recommended solution for each (and also bakes this substance in a ready-made declarative structure based on attributes)