By default, no Administrative Passwords are set and anyone that has physical access to a phone can access the 'Administrator Settings' menu and change its settings.
Create a new or update an existing 'Common Phone Profile' in the CUCM menu Device > Device Settings > 'Common Phone Profile' and populate the field 'Local Phone Unlock Password'.