By default security is built in to a ASP.NET Web Forms application or an ASP.NET MVC application, and the settings are already in the root level web.config file. Forms mode is best used with internet applications and Windows mode for intranet applications. In forms mode the use must enter a username and password to access the pages where access is limited to authorised users
By default usernames and passwords will be stored in a local SQL Server LocalDb database file stored in the App_Data folder. This database is automatically created when the first user registers.
The membership security system can be configured in various ways. The standard settings are shown above. The only one I would be tempted to change for sure is that I believe each user should have a unique email address in order to avoid confusion.