I've been pretty happy so far with an implementation to secure my webservices using an IHttpModule to capture the SoapHeader early in the pipeline and authenticate before getting to the webservice call itself. This eliminates the need to deal with authentication in each WebMethod call.
Another area I'm looking at is securing the WSDL - since the WSDL request is not made using a SoapRequest, the mechanism has to be different.
Right now, I'm considering hooking the ASMX request and looking for the ?WSDL parameter (https://myService/myService.asmx?WSDL). I could then intercept the call and hand back a bogus/empty WSDL if authentication parameters are not specified. If they add parameters for authentication, then I could hand back the real WSDL (https://myService/myService.asmx?WSDL&User=YaddaYadda&Pwd=BlahBlah).
What's interesting is that I could use my permissioning bits to hand back a custom WSDL, but I'd rather not force someone to reacquire the WSDL if they purchase new capabilities. My feeling now is that leaving any messages about permissioning are best left up to the individual functions.
I'll blog more as I move forward on the implementation.