Requirements determine implementation, and often, requirements rule out what is “best”. Best is an ideal. Sometimes you just have to get the job done, and “pretty good” trumps “best” about 75% of the time. If you HAVE to have multiple applications accessing the same data, then you have already ruled out local DBs. That can’t be an option unless you are willing to use a replication setup, which actually isn’t bad, generally speaking ( http://msdn.microsoft.com/en-us/library/ms151198.aspx ).

If you are going to use a full blown SQL Server instance on a network, then your security options are contingent. Intranet or Internet? Is everyone using Windows or flavors of Linux/Unix or Macs? If it’s within a company and they all use Windows, then use Windows Integration. You can use this with desktop and web apps. It’s very robust, and you don’t have to roll your own security code. If people are coming from everywhere, you may want to code and access table and encryption the passwords. DO NOT STORE THEM IN PLAIN TEXT. If it’s over the Internet, and anyone in the world can access it using an outward facing web app, then Microsoft has options for you there, too. Secure the app before anything else, then secure the db. Parse this for useful options: http://msdn.microsoft.com/en-us/magazine/cc301387.aspx