I have done some research and I just want to verify what I believe are the
security options for SQL server 2005 native XML web services (using ENDPOINT
and WebMethod).

1. Application roles cannot be used (I assume this because the connection is
not kept open so you can only call one proc at a time and application roles
need state and need to call a stored proc to set the state).

2. NT authentication:
a. Each NT USER must be added as a Login to SQL Server
b. Each NT USER must be granted CONNECT to the ENDPOINT
c. Each NT USER must be added to the database with the stored procedures
being exposed
c. Each NT USER must be granted EXEC on the stored procedures being exposed;
this could be done by adding the user to a database role that has the
permissions etc.
d. There is no way to just add NT users to a Domain security group and give
that group permissions - you must do the above for each individual user

3. Sql Server authentication - I guess you could create a login/password in
SQL Server that have all of the above permissions and then hard code that in
the client for connecting to the web services. Haven't tried this, but would
require a lot less logins to be added to SQL.

Seems that it is about time to have integration with active directory and NT
security groups (roles) with SQL Server... that would definitely be useful.