That’s the default behavior of the [Authorize] attribute. So you could selectively decorate controller actions that requires authorization by this attribute:

[Authorize]
public ActionResult SomeAction()
{
    ...
}

And if you want to apply it on multiple actions you could write a base controller and then decorate this base controller with the given attribute. Then all child controllers that derive from this base controller and all actions will require authorization in order to be accessed.

You also have the possibility to write a custom authorization attribute based on the specific requirements you might have. For example:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        return httpContext.Session["UserId"] != null;
    }

    protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
    {
        // if the user doesn't have the userid value in session
        // redirect him to the index action on the home controller
        var values = new { controller = "Home", action = "Index" };
        filterContext.Result = new RedirectToRouteResult(new RouteValueDictionary(values));
    }
}

then decorate actions/controllers that need to follow this custom authorization logic with this attribute:

[MyAuthorize]
public ActionResult SomeAction()
{
    ...
}

Now when you authenticate an user in your login action (which obviously shouldn’t be decorated with any authoraztion attribute), upon valid credentials, you would add the UserId property to the session and redirect to some other controller action that is itself decorated with this attribute and which requires authentication.

For most cases though, the default Authorize attribute is sufficient.