By default, authenticated users can connect to a WDS share and read the .wim files. When a user performs a PXE boot using the boot image provided by WDS, their domain credentials can be used for authentication. This is the default behavior for the share.
If this is not desirable in your environment, create a new security group that contains the users that you want to be able to access the share. Grant this group the ability (at minimum) to Read & Execute, List Folder Contents, and Read. Then remove the Authenticated Users group.
Once this is completed, if a user attempts to authenticate to the WDS server, this is what they see:
The user will not be presented with any images.
If the user is in the correct security group, they will get a listing of the available images to select from.