You are asking two separate questions here.
Programmatic access. The first question is: For web services that are only supposed to be exposed to other internal code, how should the programmatic clients be authenticated? My answer: I recommend using SSL with client certificates.
Here's how to do that, in more detail. The client should contact the service via a https URL. Each client should be provisioned with its own SSL client cert. The service should check that the client's cert is on a list of authorized clients, or else check that the client cert is signed by your internal CA (your choice).
In addition, for better security, you might consider running those internal-facing web services on a separate host that is firewalled off from the outside world, so nobody on the external Internet can open a connection to those internal web services.
Human access. The second question is: For web services that are only supposed to be exposed to internal system administrators, how should access be controlled? My answer: there are several approaches.
The simplest and probably the most pragmatic answer is to set up a separate account for each of your administrators, and use standard password-based authentication to limit access to those accounts. Generate a long, strong password for each admin account, and tell the admin not to share their password. Set up the web service to use SSL sitewide (only accessible via https, not via http), to prevent attackers from sniffing an admin's password if they happen to connect over an open Wifi connection. In this approach, the web services are still running on an externally-facing, Internet-connected host, but no one other than an admin should be able to log in to them.
A more secure approach is to put those web services on your internal network, and don't put them on an external-facing host. Firewall them off from the external Internet. If your admins want to log in while they are working remotely, they can VPN into your internal network. You will still want to create an account for each administrator on the web service and generate strong, long passwords for the admins.
For high-security installations, there are additional ways to provide even stronger security. Those mechanisms probably aren't necessary for the average internal web service, but if you are in an especially security-sensitive area, just let us know and we can provide you with additional controls.