I've got a smart client app (C#) - client + web service.  At present I am to
add security features to the app using WSE 2.0.  Security is a very new area
for me and after 3 days of reading I'm overloaded with the info :-(((.  I
went through the Hands-on Lab (great, was really helpful) but the problem is
that our scenario doesn't conform to any others found on the web.

1. My application is going to be installed in either of the following ways:
- Both client-side app and web service installed on a machine (WinXP) that
runs SQL server with our database on it.  My webservice talks to this DB.
- The client app is installed on a machine (WinXP) that talks to a remote
server (Win2000/2003) (with the same database) where my web service is
installed as well.

2. Our server *is not* a Web Server. (This is going to be the case only in
the future).

3. I don't want to use certificates at present. As far as I understood they
are the most secure but also the most difficult to deploy.

4. The existing database does not contain any table with usernames, how I am
supposed to perform authentication? The default (plainText password with WSE
performing automatic authentication) only works for the local machine (my
understanding). What happens if my web service is on the remote server?

5. I also need authorization (users from a certain group only can use the
service) as part of the security procedure.  Again, I can verify this on the
local machine, how does the remote server do it?

6. From what I read and understood I'd like to use some sort of
authentication (Username or custom probably), authorization, signatures and
encryption.

7. I would prefer to use policy files. As we are probably going to change
the policy in the future, to do it with the policy files would be easier. But
how to use them with my scenario?

Your help will be *highly* appreciated.  As I am very new to the security
subject, simple and straitforward instructions and tips will be preferable.

Anna